Parent Policy: Security for Information Technology
Document #: 10.01.002.001
Computers connected to the Berkeley Lab network must meet minimum security requirements. Minimum security requirements establish a baseline of security for all systems on the Berkeley Lab network. Non-compliant devices may be disconnected from the network.
Cyber Security Operations will modify these requirements based on changing technology and evolving threats.
Requirements
= Required = Recommended = Not applicable
# | Topic | Requirement | Tips on Implementing | Windows | Apple | UNIX/Linux |
1 | Antivirus Software | You must run antivirus software; Windows must use Crowdstrike. | Download Crowdstrike from software.lbl.gov. |
| ||
2 | Application Patches | Install critical application patches. When available, enable automatic update functionality. Cyber Security enforces patching of critical patches. | Windows and Apple: download BigFix from software.lbl.gov for easy desktop application patching. | |||
3 | Clear text Authentication | Encrypt passwords when authenticating; do not transmit passwords in clear text. | Do not use Telnet as it is unencrypted. | |||
4 | Institutional Accounts | Only employees or affiliates may have institutional accounts (i.e. Berkeley Lab Identity/LDAP and Active Directory). | The Account Management FAQ describes procedures for obtaining and managing accounts. | |||
5 | Logging | Log to the central logging servers. | Apple and Linux: Use Central Syslog Server instructions. | |||
6 | Network Services | Secure network services on your computer as follows:
| ||||
7 | Passwords | Passwords used on Laboratory IT must meet one of the approved password requirement templates.
Template 1 is in place for Berkeley Lab Identity (LDAP) passwords and Template 2 is in place for Active Directory (AD) passwords. In all cases the following apply.
| Reset your password at password.lbl.gov. Also, try a password manager like 1Password, available at software.lbl.gov. | |||
8 | Mobile Device PIN lock screen | Mobile devices, both personal and Lab issued, used to authenticate to institutional resources must be protected by a PIN lock screen. Some examples of institutional resources included Gmail, Google Calendar, LETS, and multifactor authenticator tokens in Google Authenticator. | Biometric authentication, including fingerprint or facial recognition, and lock screen patterns are an acceptable alternative. | |||
8 | Operating System Patches | Install critical operating system patches. When available, enable automatic update functionality. Cyber Security enforces patching of critical patches. | Windows: use "Automatic Updates". | |||
9 | Training | Complete Training Requirements appropriate for your position. | The JHA (or new WPC) system will notify you of your cyber training requirements. |
Exceptions
Please email [email protected] and/or review Section D.3 "Exceptions and Enforcement" of Security for Information Technology for our policy on additional exceptions.