1.6 Security Policy
1.6.1 Usage Security Policies
- Summary and General Philosophy
CHPC is an important but limited resource for University of Utah community. It is CHPC's responsibility to protect these facilities and safeguard their proper use. Our policy is to take reasonable measures to insure the security of our systems. We also have a policy of maintaining accessibility and ease of use. These two philosophies are sometimes at odds with each other. Our goal is to strike a balance between the two. Because we cannot do this job alone, we depend on your assistance. Responsible use of the system and cooperation on your part helps us maximize availability for you and other researchers. - Usage Policies
- Please read and comply with the University of Utah Information Resources Policies. Please pay particular attention to sections C and D.
- CHPC does not allow clear text passwords when accessing our systems. We require the use of Secure Shell (SSH).
- CHPC does not allow passwordless ssh and also does not allow custom auto login code or scripts due to significant security incidents at several HPC centers in the past.
- You may not share your account with anyone under any circumstances.
- Do not leave your terminal unattended while you are logged in to your account.
- CHPC operates an unclassified and non-sensitive computing environment. Do not introduce classified or sensitive work on CHPC systems unless you have been approved for the Protected Environment.
- Protect your uNID password and follow campus password policies.
- Do not try to break passwords, tamper with system files, look into anyone else's directories, or otherwise abuse the trust implicit in your account. Your privileges do not extend beyond the directories and files that you rightfully own or to which you have been given permission.
- Do not inspect, modify, distribute, or copy privileged data or software without proper authorization, or attempt to do so.
- If you suspect a security problem report it promptly, and refrain from publicizing your suspicians. For instance, if a file in your directory seems to have changed, but you don't remember having changed it, contact CHPC 801-585-3791, or send email to: helpdesk@chpc.utah.edu. If your concerns are an emergency during non-University working hours, please contact the campus Help Desk at 801-581-4000.
-
- Qualifying for a CHPC Account
- Any University of Utah faculty member may request an account. New faculty seeking to create a research group and become a CHPC PI usually will meet with CHPC to discuss CHPC services and determine how CHPC can best support their research.
- CHPC PIs may add any of their students, staff or research associates to their research group.
- All CHPC accounts are approved by a CHPC PI or CHPC Administration.
-
When applying for accounts, users agree to the following:
User Agreement
In obtaining this account I agree to use the Center for High Performance Computing resources solely for the purposes connected with my University of Utah affiliation and agree not to allow my access to be used in a manner which could permit unauthorized use of the computer. During the use of this account, certain proprietary software may be made available. Availability of said software is to be used in accordance with licensing restrictions (typically academic, not for profit) and may not be copied to any other machine(s) or made available to any other person(s). I have read the CHPC security policies and agree to comply with them.
Account sharing is strictly prohibited by university policy: refer to account use in acceptable use policy section III at http://regulations.utah.edu/it/4-004.php
- All CHPC accounts are provisioned in the CHPC NIS, CHPC AD, CHPC VPN, and account holders are subscribed to CHPC email lists.
- In addition, CHPC PIs may setup guest accounts for collaborative file sharing without setting up a full CHPC account. See https://guest-transfer.chpc.utah.edu/
- Additional steps are required if access to the Protected Environment is required. Please contact us at helpdesk@chpc.utah.edu for more details.
- Protected Environment Terms of Use
-
Agreement/Terms of Use:
- The systems in the CHPC protected environment are a University of Utah CHPC system and is the property of the University of Utah ("University"). It is for AUTHORIZED USE ONLY.
- BY LOGGING ON, YOU AGREE TO THE FOLLOWING UNIVERSITY AND CHPC POLICIES.
- You may ONLY access sensitive information if you have been approved for research on the appropriate IRB and it is necessary for you to carry out approved research.
- You MUST log out after using this system, or anytime you are stepping away from your terminal. The University tracks and audits information accessed by your account name and password.
- Failing to comply with these guidelines, and failing to protect sensitive information generally, are grounds for disciplinary action, up to and including TERMINATION of your affiliation with the University, and may subject you to CIVIL DAMAGES and CRIMINAL PROSECUTION.
- You agree to follow all applicable federal, state, and local laws, as well as University, policies and procedures with regard to the access and use of this system as well as access, use, and disclosure of sensitive information.
- By continuing to use this system you indicate your awareness of and consent to these terms and conditions of use. LOG OFF IMMEDIATELY and discontinue accessing or use of this system if you do not agree to the conditions stated in this warning.
- Unauthorized system access, or attempts to bypass security mechanisms, are grounds for disciplinary action, including termination of your employment, and is a violation of state and federal law, which may subject you to civil damages and/or criminal prosecution.
- Do Not Auto-Forward Work email to Personal accounts. All workforce members are required
to use only their University UMail accounts for patient and business related mail.
You can set email forwarding preferences via https://unid.utah.edu, If you need help
with your UMail? Contact Campus Help Desk at (801) 581-4000.
U of U Health Sciences does have separate policies/procedures that align with the policies and rules on the regulations website, but contain more specific requirements. The point related to the requirement for using Umail accounts to conduct business is specifically mentioned in the Health Sciences “Policy: Acceptable Information Resource Use” which is published on the Pulse intranet site. Under “Descriptions”, section E states:
UUHC Employees Must Use UUHC E-mail Accounts When Conducting UUHC Business
UUHC employees are prohibited from using personal e-mail accounts to conduct UUHC business. - All University personnel (which includes all faculty, students, staff and UofU affiliates with a uNID or login account) are required to encrypt any device with access to Database of Genotypes and Phenotypes(dbGaP) or other Restricted/PHI data. Here is the link to the University Rule for reference: http://regulations.utah.edu/it/rules/Rule4-004C.php
- Access To Information Resources While Off-site
- The CHPC provides remote access to many of the information resources on its network.
"Remote access" is defined as:
- using a modem and dialing into the University's modem pool
- utilizing the CHPC's virtual private network ("VPN")
- utilizing Integrated Services Digital Network. ("ISDN") which connects to the CHPC network
- any other connection which provides your computing device with a CHPC network address
- While using remote access, you understand that your machine is a de facto extension of the CHPC's network, and as such are subject to the same rules and regulations that apply to computers physically located at CHPC.
- Specifically, while connected using remote access your computer must have antivirus protection and may be scanned as part of routine network security scans.
- The CHPC provides remote access to many of the information resources on its network.
"Remote access" is defined as:
-
Questions or comments can be e-mailed to helpdesk@chpc.utah.edu.
Note:
The PI bears the ultimate responsibility for ensuring the data management conforms to University and policy. For example the IRB will dictate whether or not data can be moved in/out of this environment. It is CHPC’s responsibility to provide secure mechanisms for data movement, but It is not the CHPC department's responsibility to regulate data movement.
-
Authentication
- CHPC uses the campus uNID for authentication. For more information on the campus uNID,
visit https://uofu.service-now.com/cf/kb_view.do?sysparm_article=KB0000960. Policies that govern the use of the uNID can be found a http://regulations.utah.edu/it/4-002.php.
- Passwords: Refer to the University of Utah password requirements and guidelines at https://uofu.service-now.com/cf/kb_view.do?sysparm_article=KB0000580.
- SSH Keys: By default, SSH keys are disabled. Exceptions will be considered on a case-by-case basis, and must be approved and documented by CHPC.
- Other Authentication Methods: Considered on a case-by-case basis.
- Violations
If CHPC determines that its resources have not been used in an appropriate fashion, the violation could result in disciplinary action including loss of account, current allocation and the ability to qualify for future allocations. Criminal activity could result in legal prosecution.
1.6.2 Host, Service, Network and patching policies
- Summary and General Philosophy
CHPC operates an unclassified network, with an emphasis on openness and collaboration. The general security philosophy is that known offending services and protocols are filtered at the network border, filtering practices are implemented at each IP network boundary, and firewalls are implemented on hosts. PHI (Personal Health Information), classified, or other protected data must not be stored or used on networks or systems provided by CHPC except in the Protected Environment described in this policy. - Definitions
- Trusted Network: An IP network that is allowed to directly access CHPC file services via NFS and other internal core services, uses NIS and LDAP services, and contains computers that are administered by CHPC. This includes CHPC private networks that are not routed beyond the department network border.
- Un-trusted Network: All other IP networks hosted by CHPC that do not meet the requirements of a Trusted Network.
- Outside Network: Networks outside of CHPC control, including the open internet.
- Network Border: The network device or devices that connect CHPC to other entities (such as University of Utah campus core network or Utah Education Network)
- Router ACL: An access control list used by a router to filter network traffic
- SVI (Switched Virtual Interface): A router interface that is configured on a Layer 3 switch
- Filtered: Blocked or denied traffic.
- Network Border
Protocols that have been shown historically to cause the most problems are filtered at the network border using router ACLs. These protocols include MySQL, Windows File Services (NetBIOS, NetBEUI, CIFS), and others.- When departments that operate both inside and outside of CHPC’s networks need to use the above protocols across the network border, exceptions are made on a case-by-case basis. All such exceptions must be approved by CHPC. These should be documented in CHPC’s wiki. Campus security policies and other information can be found at http://www.privacy.utah.edu.
- Services Networks
These networks host essential system services such as DNS, TFTP, NIS, and Web servers. These networks are designated as trusted. - Supported Department Networks
Most departments supported by CHPC staff have a VLAN and IP network that is dedicated for their use. The minimum security requirement for these department networks are as follows:- Router ACL entries that mitigate source IP address spoofing (AKA “anti-spoofing filters”) with appropriate logging logic
- Bandwidth monitoring of the SVI serving as the network’s default gateway
- Departments may request a more restrictive security policy, which policy will be implemented in the form of additional router ACLs. These more restrictive ACLs should be documented in CHPC’s wiki when a new network comes online or when a department requests them.
- Wired Untrusted Networks
CHPC offers multiple "untrusted" networks for INSCC and other supported department networks. These networks serve users who administer their own computers or servers. These networks have access to other university networks and the open internet, but not to other CHPC services, with the following general exceptions: DNS to CHPC DNS services, CIFS to CHPC file services, NTP to CHPC time services, SSH to key CHPC public-facing servers, Syslog to CHPC syslog server.-
The general access policy for outside networks is that they are allowed unless explicitly blocked by request.
-
- Wireless Campus Networks
UIT provides all wireless network services on the University of Utah campus. In addition, they provide special authentication realms for CHPC users in the form of “At Services.” The @chpc.utah.edu service allows CHPC users to access file services. Private network addresses using RFC 1918 address space are not accessible from UIT wireless networks. - University VPN Services
UIT provides VPN services for the University of Utah community. They provide special authentication realms for CHPC users in the form of “At Services.” The @chpc.utah.edu service (when used in conjunction with a VPN client) allows CHPC users to access file services. Private network addresses using RFC 1918 address space are accessible from UIT VPN services if routed.
Hosts
All hosts connected to CHPC networks should implement some type of host firewall (for
example, iptables in linux or the Windows Firewall in Windows). Before any desktop
computer or laptop can be connected to a CHPC network, it must be inspected by CHPC
desktop support staff and have adequate patches and anti-virus software installed. Hosts
fit into three general categories: All categories are required to comply with University
of Utah policies/procedures and basic computer safety listed at https://uofu.service-now.com/cf/kb_view.do?sysparm_article=KB0000967
1) CHPC-administered
Only CHPC administrators have root or administrative access to the system. CHPC will apply operating system patches, install and patch software, and provide all necessary security controls to the system.
2) Self-administered Self-administered machines are hosts that users choose to maintain themselves and are not on a trusted network, CHPC staff do not have root/admin access. Support is provided on a consultation basis. It is expected that the person maintaining this host take the responsibility and appropriate measures to harden the default installation of the operating system. Please feel free to contact CHPC for configuration questions (email helpdesk@chpc.utah.edu). Some basic guidelines that should be followed are:
Disable unnecessary services & minimize amount of running software and services to only what is required to run, turn off or block the rest. Maintain user accounts; create a good password policy and enforce its use (especially make sure the root account has a strong password) Review logs on a routine basis and send logs to a dedicated log server.
Keep software up to date
Configure and use a software firewall (iptables or equivalent) to block all incoming communications, except for those required for system functionality.
Implement a mechanism to block failed login attempts. Contact helpdesk@chpc.utah.edu for questions.
3) Shared Administration
These hosts are addressed on a case-by-case basis and may be on the trusted or untrusted
network. If one makes the case for this mode of administration one needs to have a
"form of adherence letter" on file with CHPC, this form specifies the term of the
arrangement. If you have requested permission for "elevated privileges" such as
sudo all, you need to fill out an "adherence agreement" which states you understand
and agree to specified terms. Please refer to https://www.chpc.utah.edu/role/user/adherence_form.php
As always, please contact helpdesk@chpc.utah.edu
Patching Policies (U of U policy reference: http://regulations.utah.edu/it/rules/Rule4-004G.php)
The University of Utah’s Institutional Security Office (ISO) provides CHPC with monthly Qualsys scan/reports for all platforms (win/mac/linux/network). CHPC follows University of Utah policies and frequency requirements with regard to patching Operating Systems. CHPC has internal security reviews and processes, and works with the ISO regarding Institutional policies and recommendations. The reports contain a rating from 1 – 5, with level 5 being the most severe. CHPC addresses level 5 (high) warnings within 7 days of receiving report, per UofU CISO’s recommendations (and based on based on the National Vulnerability Database (NVD) ratings with this schedule:), level 4 (medium severity) within 14 days, level 3 (low) within 28 days, level 2 wihin 60 and level 1 within 90 days.
CHPC policy (in addition to the Qualys reports listed above) for hosts that are administered by CHPC or "shared administration".
Windows: Auto patching is enabled on a daily basis for desktops & weekly for servers except hosts named kachina and swasey are done quarterly (unless a critical as provided by the vendor platform).
Mac: Auto patching is enabled weekly.
Linux: By default, we are auto patching security only vulnerabilities (minus the kernel) daily based on CVE being released from Red Hat. For kernel updates, we are reviewing manually, and applying what is applicable since any upgrades to the kernel require a reboot and impact availability (and may impact other drivers)
For the HPC hosts & Department linux file servers - patches are applied at least on our quarterly planned downtime schedule, (we use spacewalk for at least daily software inventory and reporting of HPC gear but not auto patching). For CVE high security vulnerabilities we evaluate the risk and schedule a "mini downtime" to apply patches &/or take other steps to mitigate risk.
Network Equipment: Patch on quarterly downtime outage windows, unless critical (as provided by the vendor platform). If critical, patch within 7 days.
CHPC's Protected Environment (PE)
The CHPC PE consists of HPC & VM services for researchers, documentation can be found via https://www.chpc.utah.edu/resources/ProtectedEnvironment.php
- Prior to access to the HIPAA environment, users must prove they have completed the University of Utah HIPAA training and that they have proper IRB approval to the particular data set they wish to utilize.
- UNAUTHORIZED ACCESS TO THIS SYSTEM IS STRICTLY PROHIBITED
- BY LOGGING ON, YOU AGREE TO THE FOLLOWING UNIVERSITY OF UTAH AND CHPC POLICIES:
- You may access information only if your research requires it.
- You must keep all identifiable personal information confidential.
- You must logout after use, or when stepping away from your terminal.
- Failing to comply with these guidelines, and failing to protect sensitive information in general, are grounds for disciplinary action, up to and including TERMINATION Of your University affiliation, and may subject you to CIVIL DAMAGES and CRIMINAL PROSECUTION.
- BY LOGGING ON, YOU AGREE TO THE FOLLOWING UNIVERSITY OF UTAH AND CHPC POLICIES:
Note:
The PI bears the ultimate responsibility for ensuring the data management conforms to University and policy. For example the IRB will dictate whether or not data can be moved in/out of this environment. It is CHPC’s responsibility to provide secure mechanisms for data movement, but It is not the CHPC department's responsibility to regulate data movement.
- Incident Response
- Contact helpdesk@chpc.utah.edu if you suspect any of the CHPC supported systems have been compromised.
- CHPC reserves the right to disable network connectivity for any anomalous activity and expect users' full cooperation when investigating such incidents.
1.6.3 Reporting unsolicited emails (uce), spam or phishing emails
To report unsolicited emails (uce), spam or phishing emails. forward the email as an attachment to phish@utah.edu.
Here is the it.utah.edu reference for reporting phishing email
https://uofu.service-now.com/cf/kb_view.do?sysparm_article=KB0000988
Suspicious e-Mail/Phishing explanation
Phishing (as in “fishing for information” and “hooking” victims) is a scam where Internet fraudsters send e-mail messages to trick unsuspecting victims into revealing personal and financial information that can be used to steal the victims’ identity.
If/when you or your users receive an email that looks like a phishing attempt, please forward the email, as an attachment, to phish@utah.edu.
To do this in outlook web access you right click on the email and select 'forward as attachment'
For the outlook 2010 there is a 'more' button (on the home tab), then 'forward as attachment'
if you can't find it click on the help button (i.e., the question mark in upper right) and type in 'forward attachment'
If there are problems with this maybe this helps...
- Click File
- Click Options
- Click Trust Center (bottom)
- Click Trust Center Options
- Click Attachment Handling
- Check Add Properties to attachments to enable Reply Changes
1.6.4 IT resource encryption policy/requirements
If non-human:
There are no restrictions (i.e., can work in general environment without any additional measures) unless the nature of your project includes sensitive or restricted data (see the University Data Classification and Encryption rules, http://regulations.utah.edu/it/rules/Rule4-004C.php or if it there are specialized compliance requirements. If it does have requirements, please discuss with us in order to meet the requirements and also consult the University of Utah Information Security Policy at: http://regulations.utah.edu/it/4-004.php
If human:
Note that CHPC is looking to work with ISO and compliance offices (Privacy, VPR) to provide guidance for any project including human genomic data, including defining who can sign off on appropriate compliance and/or requirements. Regardless, we recommend the use of the Protected Environment (PE), noting that CHPC cannot certify compliance. The responsibility for management of restricted data is the responsibility of the corresponding data steward, often the PI of the research generating the data. CHPC has developed the PE to be an appropriate home for restricted data, however this is subject to ISO review and PI responsibility as the data stewards for the restricted data.
- Is the data considered PHI and thereby governed by HIPAA regulations? If yes – only in PE
- If not PHI, is the genomic data governed by the NIH Genomic Data Sharing Policy (https://osp.od.nih.gov/scientific-sharing/genomic-data-sharing/ )? If yes, either work in PE OR if in general must work with CHPC in setting up use of two factor authentication and extended ACLs to protect data (see specific requirements listed below. Note that the general environment Ceph archive storage (pando) cannot be used for unencrypted data governed by this policy at this time (see https://osp.od.nih.gov/wp-content/uploads/NIH_Best_Practices_for_Controlled-Access_Data_Subject_to_the_NIH_GDS_Policy.pdf for details of security best practices). Specific dbGaP requirements:
- If neither 1 nor 2, unless there are other restrictions on your data that require proof of proper compliance for restricted data, the project can make use of the general environment resources without restriction AND pando storage is allowed.