Security Policy

1.0 Purpose

The information stored and generated on CAC facilities is a vital asset to the researchers utilizing CAC resources. The purpose of the Security Policy is to protect this asset by establishing responsibility for the security of that information and the resources of the facility. This policy applies to all CAC staff and third parties involved in supporting the consortium, and users of the facilities.

2.0 General Policy Statement

It is the policy of the CAC to protect the information assets of its users and allow the use, access and disclosure of such information only in accordance with CAC policy and applicable laws and regulations. All employees providing services or working with the CAC’s information are responsible for protecting it from unauthorized access, modification, destruction or disclosure.

3.0 Specific Policy Details

3.1 Resources and Facilities Covered by this Policy

This policy details the rules of conduct for users of CAC computing resources, list general prohibitions which apply, and provides additional information that may apply in certain circumstances.

All resources managed and overseen by CAC are covered by this policy, including computing hardware and software, documentation and other reference materials, all data residing on CAC machines and all consortium owned data wherever it resides, media such as CD-ROM, tape and other storage devices, and all other possessions managed by CAC. Policy coverage will apply even in cases where the management of CAC has authorized the temporary relocation of resources to areas not normally under the control of CAC management (such as a user office or employee’s home).

CAC considers all temporary and permanent connections to be subject to the provisions of this policy.

Computing resources not owned by the CAC may be connected to the CAC’s facilities. However, all such resources must function in accordance with CAC regulations governing the use of computing resources.

CAC reserves the right to monitor the content of all transmissions on networks maintained by the facility at any time necessary in accordance with all provincial and federal regulations. If such monitoring is deemed necessary, approval must be given by the Director prior to the act of monitoring.

3.2 The CAC Computing Equipment

Each institution must appoint a staff member who will maintain a list of CAC inventory at that institution. The list of CAC inventory must be made available when required by CAC.

Access to computer rooms, wiring closets, and other locations containing CAC hardware (both computer and network components) must be physically restricted. Whenever physical restrictions are temporarily inactivated, backup monitoring must be substituted. This is done to prevent tampering, theft, and unauthorized usage. In accordance with this, network topology for CAC system must be designed in such a way as to minimize the chance of unauthorized access to the network and transmitted data.

3.3 The CAC Computing Environment

User accounts on CAC systems are regulated using the following criteria as defined in the Account Management Procedure:

Unless otherwise pre-arranged, inactive user accounts on a system will be disabled after forty-five (45) days. The account owner will be notified fifteen (15) days prior to this action.

Accounts will be deleted when a user no longer requires time on the system. This shall be determined as per the policies of granting use of the system.

CAC management reserves the right to deny facility access, or suspend or delete user accounts earlier than the times specified when compelling reasons exist for such action. In all cases, such change of access will be approved by the Director beforehand.

Subject to the limitations of particular systems, CAC will force the regular changing of passwords on all accounts for all systems.

Naming standards, password change frequency, password length, and allowable number of unsuccessful login will be standardized.

Full contact and affiliation information must be recorded and available prior to access being granted.

Users should have a minimum number of userid names in use on CAC’s computing platforms. The same userid will be used on all machines. The use of non-standard mechanisms for account creation is strongly discouraged. The standard mechanisms for account creation should be as similar as possible across all platforms. The minimum account name length is three characters, and should never exceed eight characters.

Users are required to notify CAC immediately about the departure of users when such users have accounts that allow access to the CAC systems.

3.4.4 Prohibited Acts & Proper Resource Utilization

Prohibited acts include but are not limited to the following:

  • intentional disruption of service to other CAC users,
  • exploitation of insecure accounts or resources, or the lack of knowledge or other users,
  • attempting to guess, crack or otherwise determine another user’s password or gain access to his account,
  • interception of network transmissions with hardware or software “sniffers”, and
  • forging of electronic mail or electronic news or otherwise misrepresent themselves or other individuals in any electronic communication.

Proper Use of Resources:

All users are expected to use good practices that will ensure proper use of CAC’s computing resources. Such efforts include (but are not necessarily limited to):

  • management of accounts & passwords (i.e., no sharing, writing down, etc.),
  • management of login sessions (i.e., automated signoff or use of software locks when leaving the workstation unattended),
  • respect of software copyrights and licenses, and
  • management of sensitive information.

Accessible information (because of accidental exposure and/or through the malice of others who have broken into a system or are misusing their access privileges) does not necessarily condone use or modification privileges.

General adherence to the computer code of ethics at the corresponding institutions is required.

3.5 Data Storage and Removal

All sensitive, valuable, and critical data resident on the CAC systems will be periodically backed up. Backup data will have equivalent security to online data. Backups will be stored offsite. Users with an enhanced requirement that requires special arrangements must get approval from the Director of CAC.

When accounts are removed from CAC machines, data stored within the account will be retained for a period of one (1) year. Removal of data will be done with disk scrubbing tools such as those that overwrite the data multiple times before removal. All data on CAC system will be considered to be sensitive data.

3.6 Software Integrity

To prevent infection from computing viruses or worms, CAC staff must not use any externally provided software from anyone other than known and trusted suppliers. The only exception to this is software that has been tested and approved by the Director or designate.The system administrators will ensure the integrity of the operating software and system data on CAC machines on a regular basis. Modifications to the system configuration or software will be noted.

3.7 System Logs Retention

All CAC computerized journals and logs containing relevant system activities will be retained for three (3) years. During this period, these files cannot be modified and can be read only by authorized CAC personnel.

Information describing all reported information security problems and violations will be retained for a period of seven (7) years.

The retention period can be extended if the material might be required for an imminent legal action.

The CAC system administrators will maintain a systematic process for the recording, retention, and destruction of sensitive data and accompanying logs for the purpose of auditing or investigation.

Time synchronization will be applied to all CAC servers.

3.8 Additional Security Prohibitions for CAC Staff

System administrators will not use their privileges to examine the private information of other users except in the course of resolving problems and where access to such information is necessary.

When private information must be examined because of situations not related to the normal maintenance performed by system administrators, the Director of CAC will be informed of the activity to ensure that all CAC, Provincial, and Federal policies are taken into account during the examination of such information.

Under no circumstances will CAC staff share account passwords, key combinations, alarm codes, keys, access cards or any other access control mechanism for any CAC-owned resource or facility with any individual in a manner inconsistent with the policies established by their supervisor. In the absence of such policies, employees must have the explicit permission of their supervisor to share any access mechanism to any CAC resource.

CAC staff may not remove resources (hardware, software, documentation, etc.) from CAC facilities without the explicit permission of their supervisor. In all cases the supervisor shall be notified of the movement and shall update the employee’s inventory record accordingly.

CAC staff may not load any software onto their workstations or CAC’s multi-user servers, which has not been purchased or is not free. Software identified as “shareware” will be examined carefully to ensure that CAC is in compliance with any requirements regarding corporate usage. However, under no circumstances will software binaries from unknown or illegal sources be placed on CAC workstations or servers. This regulation also applies to CAC machines not located in CAC facilities.

CAC reserves the right to audit CAC workstations and servers without warning for the purpose of verifying software licensing compliance.

CAC staff may not grant accounts to non-CAC users without the explicit permission of their supervisor.

No CAC staff member may run any program which extracts the data portion of network packets without the explicit permission of their respective director.

4.0 Violations Of This Policy

Employees and users who violate this policy may be subject to disciplinary action in accordance with CAC due process.

5.0 Related Documentation

The following CAC policies may be more appropriate for dealing with certain situations or may provide additional information when CAC enforces the provisions of this policy:

Please refer to your institutions own Policies for particulars.

  • Account Management Procedures
  • Copyright policies, IP policies (as governed or negotiated by contracts)
  • Computer ethics and code of conduct for each partner
  • Security Incident Response Procedures
  • Revocation of access policies.

Definition Of Terms

CAC staff: staff and/or designate working on any CAC project.