Use of SLAC Information Resources
Guidelines
1. OVERVIEW
The Acceptable Use of SLAC Information Resources Policy
governs how SLAC information resources are to be used.
Computer Security’s
intentions for publishing the Acceptable Use of SLAC Information Resources
Policy are not to impose restrictions that are contrary to SLAC’s established
culture of openness, trust and integrity. SLAC’s information resources must be
protected from unauthorized access
Effective cyber security is a team effort
involving the participation and support of every SLAC User who deals with
information and/or information systems. It is the responsibility of every
computer user to know these requirements and conduct their activities
accordingly.
2. PURPOSE
This guideline is to provide a framework of
acceptable use of SLAC information resources in compliance with the Acceptable
Use of SLAC Information Resources Policy.
3. SCOPE
This guideline applies to all employees, contractors,
consultants, temporaries and other workers at SLAC, including all personnel
affiliated with third parties (“User”) accessing all SLAC data-communication and
telecommunication facilities and services (including, but not limited to,
e-mail, instant messaging, telephones, voice mail, faxes, SLAC data, networking
services, storage media, computers and associated peripherals and software),
whether for administration, research, or other purposes.
4. GUIDELINES
4.1 General Use and Ownership
4.1.1
Suspected misuse of SLAC information resources must be reported at once. This is
an affirmative duty. The SCCS help line (Ext. HELP [4357] option 3) can ensure
that you are put in contact with the proper authority for receiving such a
report.
4.1.2 Keep passwords secure and do not share accounts. Users are
responsible for the security of their passwords and accounts. Passwords must
comply with the Password Policy. Shared passwords require an exception approved
by the Computer Security Officer (CSO).
4.1.3 Before leaving a system
unattended, log off or activate a password-protected screen saver or be sure the
door is locked on your way out.
4.1.4 Minor incidental personal use is
allowed, provided such use does not interfere with SLAC’s business operations or
the user’s employment obligations to SLAC. Users are expected to use their best
judgment in limiting personal use to acceptable levels and if there is any
uncertainty, employees should consult their supervisor or manager.
Minor
incidental personal use is allowed if it satisfies the following criteria:
4.1.4.1 It does not impact or interfere with the employee's legitimate job
performance;
4.1.4.2 It does not impact or interfere with the work of any
other User or the correct functioning of any SLAC information resource;
4.1.4.3 It does not support running a business or paid consulting;
4.1.4.4
It does not involve illegal activities or violate SLAC policy;
4.1.4.5 It
does not involve any activity that will potentially embarrass SLAC, Stanford
University or DOE or result in a loss of public trust.
4.1.5 All use of SLAC
information resources must be authorized and provisioned via SLAC processes,
i.e. account request and creation, access control, etc.
4.2 Security and
Proprietary Information
4.2.1 For security and network maintenance purposes,
authorized individuals within SLAC may monitor equipment, systems and network
traffic at any time, per SLAC Audit and Accountability Policy.
4.2.2 Legally
protected information subject to privacy laws or confidentiality requirements
such as data that might give unfair advantage to a vendor, email and personnel
records is stored on SLAC computers.
4.2.2.1 Users should take appropriate
steps to safeguard legally protected information for which they are responsible.
For information concerning the protection of data from unauthorized use, contact
the SCS Help Desk
4.2.2.2 Users should not attempt to gain unauthorized
access to legally protected information. Users suspecting that they have
accidentally gained access to such information should not use or disseminate the
information and should report the incident to
security@slac.stanford.edu.
4.2.3 Postings by Users from a SLAC email address to online sites, e.g.
newsgroups or blog sites, should contain a disclaimer stating that the opinions
expressed are strictly their own and not necessarily those of SLAC, unless
posting is in the course of business duties.
4.2.4 All hosts connecting
to the SLAC network shall be continually executing virus-scanning software with
a current virus definitions database unless an exception has been granted.
4.3 Unacceptable Use
The following activities are, in general, prohibited.
Select employees may be exempted from these restrictions during the course of
their legitimate job responsibilities (e.g., systems administration staff may
have a need to disable the network access of a host if that host is disrupting
production services).
4.3.1 Any member of the SLAC community who, without
authorization, threatens the access and sharing of information is engaging in
unethical and unacceptable conduct. Such unethical conduct includes destroying,
altering, dismantling or damaging SLAC information resources, or interfering
with access to or use of these SLAC resources.
4.3.2 Under no circumstances
is a User authorized to engage in any activity that is illegal under local,
state, federal or international law while utilizing SLAC owned resources.
The list below is by no means exhaustive, but attempts to provide a framework
for activities which fall into the category of unacceptable use.
4.3.2.1
Excessive personal use of SLAC systems is prohibited
4.3.2.2 Sharing a
password for a SLAC computer account is prohibited unless an exception has been
granted by the CSO.
4.3.2.3 Unauthorized copying of copyrighted software is
strictly prohibited.
4.3.2.4 Use of SLAC information resources for
fraudulent, illegal, harassing, offensive, or obscene purposes is prohibited, as
is use of SLAC information resources for lobbying of any kind.
4.3.2.5
Introduction of malicious programs into the network or server (e.g., viruses,
worms, Trojan horses, e-mail bombs, etc.) is strictly prohibited.
4.3.2.6
Capturing and/or decryption of system or user password is strictly prohibited.
(See Software Use Policy.)
4.3.2.7 Use of systems or networks to gain
unauthorized access or to connect to other systems in an attempt to evade
security of the local or remote systems is prohibited.
4.3.2.8 Effecting
security breaches or disruptions of network communication is prohibited.
Security breaches include, but are not limited to, accessing data of which the
User is not an intended recipient or logging into a server or account that the
User is not expressly authorized to access, unless these duties are within the
scope of regular duties. For purposes of this section, "disruption" includes,
but is not limited to, network sniffing, ping floods, packet spoofing, denial of
service, and forged routing information for malicious purposes.
4.3.2.9 Use
of SLAC connections to leak confidential or privileged information for personal
advertisement or gain, on behalf of outside business ventures or for personal,
political or religious causes is prohibited.
4.3.2.10 Use of SLAC resources
to represent SLAC, unless specifically authorized to do so, is not allowed.
Users may participate in newsgroups or chats that are in furtherance of SLAC
business, so long as they refrain from any unauthorized advocacy or endorsement
of any product, service or cause.
4.3.2.11 Exporting software, technical
information, encryption software or technology, in violation of international or
regional export control laws, is illegal. The appropriate management should be
consulted prior to export of any material that is in question
5. ADDITIONAL REFERENCES
For any questions regarding
these guidelines please contact the Computing Division help line (Ext. HELP
[4357] option 3) or send email to:
security@SLAC.Stanford.edu.