Use of SLAC Information Resources Guidelines

1. OVERVIEW

The Acceptable Use of SLAC Information Resources Policy governs how SLAC information resources are to be used.
Computer Securityís intentions for publishing the Acceptable Use of SLAC Information Resources Policy are not to impose restrictions that are contrary to SLACís established culture of openness, trust and integrity. SLACís information resources must be protected from unauthorized access
Effective cyber security is a team effort involving the participation and support of every SLAC User who deals with information and/or information systems. It is the responsibility of every computer user to know these requirements and conduct their activities accordingly.

2. PURPOSE

This guideline is to provide a framework of acceptable use of SLAC information resources in compliance with the Acceptable Use of SLAC Information Resources Policy.

3. SCOPE

This guideline applies to all employees, contractors, consultants, temporaries and other workers at SLAC, including all personnel affiliated with third parties (ďUserĒ) accessing all SLAC data-communication and telecommunication facilities and services (including, but not limited to, e-mail, instant messaging, telephones, voice mail, faxes, SLAC data, networking services, storage media, computers and associated peripherals and software), whether for administration, research, or other purposes.

4. GUIDELINES

4.1 General Use and Ownership

4.1.1 Suspected misuse of SLAC information resources must be reported at once. This is an affirmative duty. The SCCS help line (Ext. HELP [4357] option 3) can ensure that you are put in contact with the proper authority for receiving such a report.
4.1.2 Keep passwords secure and do not share accounts. Users are responsible for the security of their passwords and accounts. Passwords must comply with the Password Policy. Shared passwords require an exception approved by the Computer Security Officer (CSO).
4.1.3 Before leaving a system unattended, log off or activate a password-protected screen saver or be sure the door is locked on your way out.
4.1.4 Minor incidental personal use is allowed, provided such use does not interfere with SLACís business operations or the userís employment obligations to SLAC. Users are expected to use their best judgment in limiting personal use to acceptable levels and if there is any uncertainty, employees should consult their supervisor or manager.
Minor incidental personal use is allowed if it satisfies the following criteria:

4.1.4.1 It does not impact or interfere with the employee's legitimate job performance;
4.1.4.2 It does not impact or interfere with the work of any other User or the correct functioning of any SLAC information resource;
4.1.4.3 It does not support running a business or paid consulting;
4.1.4.4 It does not involve illegal activities or violate SLAC policy;
4.1.4.5 It does not involve any activity that will potentially embarrass SLAC, Stanford University or DOE or result in a loss of public trust.
4.1.5 All use of SLAC information resources must be authorized and provisioned via SLAC processes, i.e. account request and creation, access control, etc.

4.2 Security and Proprietary Information

4.2.1 For security and network maintenance purposes, authorized individuals within SLAC may monitor equipment, systems and network traffic at any time, per SLAC Audit and Accountability Policy.
4.2.2 Legally protected information subject to privacy laws or confidentiality requirements such as data that might give unfair advantage to a vendor, email and personnel records is stored on SLAC computers.

4.2.2.1 Users should take appropriate steps to safeguard legally protected information for which they are responsible. For information concerning the protection of data from unauthorized use, contact the SCS Help Desk
4.2.2.2 Users should not attempt to gain unauthorized access to legally protected information. Users suspecting that they have accidentally gained access to such information should not use or disseminate the information and should report the incident to security@slac.stanford.edu.

4.2.3 Postings by Users from a SLAC email address to online sites, e.g. newsgroups or blog sites, should contain a disclaimer stating that the opinions expressed are strictly their own and not necessarily those of SLAC, unless posting is in the course of business duties.
4.2.4 All hosts connecting to the SLAC network shall be continually executing virus-scanning software with a current virus definitions database unless an exception has been granted.

4.3 Unacceptable Use

The following activities are, in general, prohibited. Select employees may be exempted from these restrictions during the course of their legitimate job responsibilities (e.g., systems administration staff may have a need to disable the network access of a host if that host is disrupting production services).

4.3.1 Any member of the SLAC community who, without authorization, threatens the access and sharing of information is engaging in unethical and unacceptable conduct. Such unethical conduct includes destroying, altering, dismantling or damaging SLAC information resources, or interfering with access to or use of these SLAC resources.
4.3.2 Under no circumstances is a User authorized to engage in any activity that is illegal under local, state, federal or international law while utilizing SLAC owned resources.
The list below is by no means exhaustive, but attempts to provide a framework for activities which fall into the category of unacceptable use.

4.3.2.1 Excessive personal use of SLAC systems is prohibited
4.3.2.2 Sharing a password for a SLAC computer account is prohibited unless an exception has been granted by the CSO.
4.3.2.3 Unauthorized copying of copyrighted software is strictly prohibited.
4.3.2.4 Use of SLAC information resources for fraudulent, illegal, harassing, offensive, or obscene purposes is prohibited, as is use of SLAC information resources for lobbying of any kind.
4.3.2.5 Introduction of malicious programs into the network or server (e.g., viruses, worms, Trojan horses, e-mail bombs, etc.) is strictly prohibited.
4.3.2.6 Capturing and/or decryption of system or user password is strictly prohibited. (See Software Use Policy.)
4.3.2.7 Use of systems or networks to gain unauthorized access or to connect to other systems in an attempt to evade security of the local or remote systems is prohibited.
4.3.2.8 Effecting security breaches or disruptions of network communication is prohibited. Security breaches include, but are not limited to, accessing data of which the User is not an intended recipient or logging into a server or account that the User is not expressly authorized to access, unless these duties are within the scope of regular duties. For purposes of this section, "disruption" includes, but is not limited to, network sniffing, ping floods, packet spoofing, denial of service, and forged routing information for malicious purposes.
4.3.2.9 Use of SLAC connections to leak confidential or privileged information for personal advertisement or gain, on behalf of outside business ventures or for personal, political or religious causes is prohibited.
4.3.2.10 Use of SLAC resources to represent SLAC, unless specifically authorized to do so, is not allowed. Users may participate in newsgroups or chats that are in furtherance of SLAC business, so long as they refrain from any unauthorized advocacy or endorsement of any product, service or cause.
4.3.2.11 Exporting software, technical information, encryption software or technology, in violation of international or regional export control laws, is illegal. The appropriate management should be consulted prior to export of any material that is in question

5. ADDITIONAL REFERENCES

Use of SLAC Information Resources Policy
Stanford University Computer and Network Use Policy
Stanford Information Security Incident Response
Guidelines for connecting computers to SLAC internal network
Software Use Policy

For any questions regarding these guidelines please contact the Computing Division help line (Ext. HELP [4357] option 3) or send email to: security@SLAC.Stanford.edu.