Viewable by the world

Parent Policy: Security for Information Technology
Document #: 10.01.002.001

Computers connected to the Berkeley Lab network must meet minimum security requirements. Minimum security requirements establish a baseline of security for all systems on the Berkeley Lab network. Non-compliant devices may be disconnected from the network.

Cyber Security Operations will modify these requirements based on changing technology and evolving threats.

Requirements

(tick) = Required    (info) = Recommended  (minus) = Not applicable


#

Topic

Requirement

Tips on Implementing

Windows

Apple

UNIX/Linux

1

Antivirus Software

You must run antivirus software, the Lab recommends Crowdstrike. 

Download Crowdstrike from software.lbl.gov.

(tick)

(info)

(minus) 

2

Application Patches

Install critical application patches. When available, enable automatic update functionality. Cyber Security enforces patching of critical patches.

Windows and Apple: download BigFix from software.lbl.gov for easy desktop application patching.

(tick)

(tick)

(tick)

3

Clear text Authentication

Encrypt passwords when authenticating; do not transmit passwords in clear text.

Do not use Telnet as it is unencrypted.

(tick)

(tick)

(tick)

4

Institutional Accounts

Only employees or affiliates may have institutional accounts (i.e. Berkeley Lab Identity/LDAP and Active Directory).

The Account Management FAQ describes procedures for obtaining and managing accounts.

(tick)

(tick)

(tick)

5

Logging

Log to the central logging servers.
Exemption: Do not log if your computer is offsite or frequently offsite (e.g. a laptop).

Apple and Linux: Use Central Syslog Server instructions.

(minus)

(tick)

(tick)

6

Network Services

Secure network services on your computer as follows:

  • Only activate network services needed to support your work. Unnecessary network services increase your risk of compromise.
  • Limit network access to only computers that need access.
  • Example: Webservers are a network service. Only use them if you need to and only open your webserver to the Internet if it's a public service; otherwise, limit access to within the Berkeley Lab perimeter.


(tick)

(tick)

(tick)

7

Passwords

Passwords used on Laboratory IT must meet one of the approved password requirement templates.

  • Template 1
    • Minimum 14 characters
    • Strong on the strength meter (e.g. using the "zxcvbn" open-source library)
    • Change every year

  • Template 2
    • Minimum 14 characters, using 3 of the following character sets
      • 1 lowercase letter
      • 1 uppercase letter
      • 1 number
      • 1 special character
    • Change every year

Template 1 is in place for Berkeley Lab Identity (LDAP) passwords and Template 2 is in place for Active Directory (AD) passwords.

In all cases the following apply.

  • Do not use the last five passwords
  • Do not reuse the same password on multiple accounts or services
  • Do not share passwords except in emergency circumstances or when there is an overriding operational necessity.

Reset your password at password.lbl.gov. Also, try a password manager like 1Password, available at software.lbl.gov.

(tick)

(tick)

(tick)

8

Mobile Device PIN lock screen

Mobile devices, both personal and Lab issued, used to authenticate to institutional resources must be protected by a PIN lock screen. Some examples of institutional resources included Gmail, Google Calendar, LETS, and multifactor authenticator tokens in Google Authenticator.

Biometric authentication, including fingerprint or facial recognition, and lock screen patterns are an acceptable alternative.

(tick)

(tick)

(tick)

8

Operating System Patches

Install critical operating system patches. When available, enable automatic update functionality. Cyber Security enforces patching of critical patches.

Windows: use "Automatic Updates". 
Apple: use "Software Update".

(tick)

(tick)

(tick)

9

Training

Complete Training Requirements appropriate for your position.

The JHA (or new WPC) system will notify you of your cyber training requirements.

(tick)

(tick)

(tick)


Exceptions

Please email [email protected] and/or review Section D.3 "Exceptions and Enforcement" of Security for Information Technology for our policy on additional exceptions.


  • No labels