Computing and Communications technologies form key parts of the conduct of LBNL’s science and support for science and the Laboratory’s use of IT resources should always reflect the intelligence, quality, integrity, and competence of the Laboratory and the University. LBNL’s computing and information policies support the responsible and secure stewardship of these assets, in order to maximize their contribution to the mission of the Laboratory, the University, and the Department of Energy.
This section describes the basic computing and communications policies of LBNL. These requirements apply to all LBNL computing resources, including those used off-site. Requirements related to Laboratory information apply wherever that information resides, including on non-Laboratory owned equipment.
Additional policy and procedure supporting this section may be found on the CIO Policy Website http://www.lbl.gov/CIO/Policy/.
Information on IT services is available from the IT Division: http://www.lbl.gov/IT/ or by dialing Extension HELP, or by e-mail to firstname.lastname@example.org.
LBNL is an unclassified, open research environment. The Laboratory’s work is such that it can be freely communicated to the scientific and technical community. The Laboratory’s computing environment supports research work intended for publication. Additional steps must be taken to secure information not intended for publication when it resides on Laboratory systems.
Classified and DOE sensitive material, including Unclassified Controlled Nuclear Information (UCNI) and Naval Nuclear Propulsion Information (NNPI) as well as National Security Information, are prohibited on Laboratory systems and networks. The Laboratory discourages the presence of any information or research activities which would require a change to the security stance of the institution and such activities may only be approved when the risk is acceptably mitigated.
LBNL information technology assets will be treated in a responsible manner throughout their lifecycle. This includes appropriate planning, implementation, maintenance, and disposal of computing and information assets. All members of the LBNL community are accountable for providing appropriate stewardship of the computing and information assets they utilize and manage. This includes appropriate information and computer security, information management, continuity and lifecycle planning, and asset management.
All use of LBNL computing and communications resources by all users, including employees, guests, collaborators, and casual users, is subject to monitoring. No user of LBNL systems has any expectation of privacy in their use of these systems, subject to applicable State, Federal, Department of Energy, and University law and policy. Laboratory employees have a responsibility to monitor systems under their control in a limited manner to ensure the security and performance of these systems. However, broad authority to monitor content and transactions for security or acceptable use is limited to those granted such authority by the CIO, Laboratory Director, or Deputy Chief Operating Officer. In all cases, Laboratory employees engaged in monitoring are expected to access the minimum amount of information necessary to accomplish the task they have been assigned, and to treat such information in a confidential manner as appropriate. In addition, special restrictions apply to the monitoring or recording of telephone conversations, which are typically illegal without the consent of all parties.
All systems, per DOE policy, must display the DOE Warning Banner to provide notice of this policy to users. Login to or use of a system displaying the banner functions as written consent to the requirements and policies of the DOE Warning Banner and LBNL policy, for that system and all other DOE systems.
The Laboratory’s computer systems and all information contained in these systems must be appropriately protected from unauthorized use, alteration, manipulation, and disclosure. In keeping with the principals of Integrated Safeguards and Security Management (ISSM), security is the responsibility of the user and his or her line management. Users, data owners, and system owners must take appropriate precautions to secure the confidentiality, integrity, and availability of systems and data, and line management must provide adequate oversight to assure these precautions are appropriate and maintained.
The CIO has designated responsibility to the Computer Protection Program Manager (CPPM) for developing Minimum Security Standards and Security Policies for computing and communications at LBNL. It is the responsibility of each user, system manager, and line manager to ensure that these standards are adhered to, and that additional safeguards are put in place if judged necessary.
The Laboratory has extensive security policies which govern the operation and minimum configuration of systems and services on LBNL networks. All systems and users connecting to LBNL networks must follow these policies and take additional precautions to secure data when appropriate. These guidelines may be found in RPM §9.02 and on the Computer Protection Website located at http://www.lbl.gov/cyber
Ultimate authority to remove a service, system, or user deemed a security threat to the institution has been delegated to the CPPM.
Ultimate responsibility for the safe and secure operation of resources and the safe and secure storage, transmittal, and disposal of data rests with the user, data owner, system manager, and their respective line management. Additional delineation of responsibilities may be found in the Computer Security Program Plan.
LBNL is required to provide additional protection to certain categories of private information. This includes information such as social security, driver’s license, and financial account numbers, as well as certain personal health information. Only the institutional business systems of the Laboratory are accredited for the ongoing storage of this kind of information. Email, local workstations, and network storage are not acceptable for the ongoing storage of collections of this information unless they have been specifically approved by the user’s line management and concurred on by the Computer Protection Program Manager. Unintended releases of private information or suspected releases of private information must be immediately reported to the CPPM. Additional support for managing private information may be found here.
In addition, certain services and types of information are judged sufficiently important to require additional oversight by the Computer Protection Program. Systems designated as requiring additional protection are required to develop system security plans and adopt additional management, operational, and technical controls.
All users of LBNL computing systems must adhere to training requirements appropriate to their responsibilities. Minimum training requirements are established by the CPPM and include annual user awareness training.
All Laboratory computing and communications services are provided to further the mission of the Laboratory. Use related to the individual’s position at LBNL includes, but is not limited to, research and administrative functions, approved professional development and educational activities related to the user’s position, laboratory approved community relations and support activities, and support of internal and external committees, task forces, and organizations related to employee’s position.
The Laboratory recognizes that incidental personal use of information resources also occurs. Incidental use is generally understood to be transient, that is, incidental use should not create a lasting association between the use and the Laboratory. Such use is acceptable provided it does not constitute unacceptable use as defined below, and meets the following requirements:
When such use does not meet these criteria, it becomes unacceptable use. Users who elect to engage in incidental use do so with no expectation of personal privacy concerning their actions.
Incidental use is a privilege provided to members of the Laboratory community and may be revoked.
Where incidental incremental costs are incurred and the Laboratory has a system by which the Regents can be reimbursed for these costs, employees must follow the procedures and reimburse the institution.
Activities that constitute “unacceptable use” of Laboratory resources include, but are not limited to, the following:
All use of LBNL systems must be authorized by a responsible employee who takes security responsibility for the use and/or user and ensures that LBNL IT policies are communicated to the user and followed in the course of granting access. Use must be reviewed by the granting employee on a schedule appropriate to the risks presented by the service or system.
For reasons of both security and efficiency, the CIO has designated selected services as Institutional Services. These services may only be provided by the designated responsible office or by permission of the responsible office or its designees. Operating, maintaining, or modifying such services without the express consent of the responsible office is a violation of this policy. The current list of such services may be found here.
Additional policy, procedure, and governance information for Computing and Communications Policy are found on the CIO Policy Website. Notwithstanding this section, users of LBNL information and systems are subject to all applicable University of California and Department of Energy regulations, and applicable state, federal, and international laws.
Violation of this policy may result in restriction of access to resources, disciplinary action up to and including dismissal, loss of site access privileges, and/or referral to federal or state law enforcement authorities for criminal or civil prosecution.
. The official or current version is located in the online LBNL Requirements and Policies Manual.
Printed or electronically transmitted copies are not official. Users are responsible for working with the latest approved revision.