Security Policy

1.0 Purpose

The information stored and generated on HPCVL facilities is a vital asset to the researchers utilizing HPCVL resources. The purpose of the Security Policy is to protect this asset by establishing responsibility for the security of that information and the resources of the facility. This policy applies to all HPCVL staff and third parties involved in supporting the consortium, and users of the facilities.

2.0 General Policy Statement

It is the policy of the HPCVL to protect the information assets of its users and allow the use, access and disclosure of such information only in accordance with HPCVL policy and applicable laws and regulations. All employees providing services or working with the HPCVL's information are responsible for protecting it from unauthorized access, modification, destruction or disclosure.

3.0 Specific Policy Details

3.1 Resources and Facilities Covered by this Policy

This policy details the rules of conduct for users of HPCVL computing resources, list general prohibitions which apply, and provides additional information that may apply in certain circumstances.

All resources managed and overseen by HPCVL are covered by this policy, including computing hardware and software, documentation and other reference materials, all data residing on HPCVL machines and all consortium owned data wherever it resides, media such as CD-ROM, tape and other storage devices, and all other possessions managed by HPCVL. Policy coverage will apply even in cases where the management of HPCVL has authorized the temporary relocation of resources to areas not normally under the control of HPCVL management (such as a user office or employee's home).

HPCVL considers all temporary and permanent connections to be subject to the provisions of this policy.

Computing resources not owned by the HPCVL may be connected to the HPCVL's facilities. However, all such resources must function in accordance with HPCVL regulations governing the use of computing resources.

HPCVL reserves the right to monitor the content of all transmissions on networks maintained by the facility at any time necessary in accordance with all provincial and federal regulations. If such monitoring is deemed necessary, approval must be given by the Director prior to the act of monitoring.

3.2 The HPCVL Computing Equipment

Each institution must appoint a staff member who will maintain a list of HPCVL inventory at that institution. The list of HPCVL inventory must be made available when required by HPCVL.

Access to computer rooms, wiring closets, and other locations containing HPCVL hardware (both computer and network components) must be physically restricted. Whenever physical restrictions are temporarily inactivated, backup monitoring must be substituted. This is done to prevent tampering, theft, and unauthorized usage. In accordance with this, network topology for HPCVL system must be designed in such a way as to minimize the chance of unauthorized access to the network and transmitted data.

3.3 The HPCVL Computing Environment

User accounts on HPCVL systems are regulated using the following criteria as defined in the Account Management Procedure:

Unless otherwise pre-arranged, inactive user accounts on a system will be disabled after forty-five (45) days. The account owner will be notified fifteen (15) days prior to this action.

Accounts will be deleted when a user no longer requires time on the system. This shall be determined as per the policies of granting use of the system.

HPCVL management reserves the right to deny facility access, or suspend or delete user accounts earlier than the times specified when compelling reasons exist for such action. In all cases, such change of access will be approved by the Director beforehand.

Subject to the limitations of particular systems, HPCVL will force the regular changing of passwords on all accounts for all systems.

Naming standards, password change frequency, password length, and allowable number of unsuccessful login will be standardized.

Full contact and affiliation information must be recorded and available prior to access being granted.

Users should have a minimum number of userid names in use on HPCVL's computing platforms. The same userid will be used on all machines. The use of non-standard mechanisms for account creation is strongly discouraged. The standard mechanisms for account creation should be as similar as possible across all platforms. The minimum account name length is three characters, and should never exceed eight characters.

Users are required to notify HPCVL immediately about the departure of users when such users have accounts that allow access to the HPCVL systems.

3.4.4 Prohibited Acts & Proper Resource Utilization

Prohibited acts include but are not limited to the following:

  • intentional disruption of service to other HPCVL users,
  • exploitation of insecure accounts or resources, or the lack of knowledge or other users,
  • attempting to guess, crack or otherwise determine another user's password or gain access to his account,
  • interception of network transmissions with hardware or software "sniffers", and
  • forging of electronic mail or electronic news or otherwise misrepresent themselves or other individuals in any electronic communication.

Proper Use of Resources:

All users are expected to use good practices that will ensure proper use of HPCVL's computing resources. Such efforts include (but are not necessarily limited to):

  • management of accounts & passwords (i.e., no sharing, writing down, etc.),
  • management of login sessions (i.e., automated signoff or use of software locks when leaving the workstation unattended),
  • respect of software copyrights and licenses, and
  • management of sensitive information.

Accessible information (because of accidental exposure and/or through the malice of others who have broken into a system or are misusing their access privileges) does not necessarily condone use or modification privileges.

General adherence to the computer code of ethics at the corresponding institutions is required.

3.5 Data Storage and Removal

All sensitive, valuable, and critical data resident on the HPCVL systems will be periodically backed up. Backup data will have equivalent security to online data. Backups will be stored offsite. Users with an enhanced requirement that requires special arrangements must get approval from the Director of HPCVL.

When accounts are removed from HPCVL machines, data stored within the account will be retained for a period of one (1) year. Removal of data will be done with disk scrubbing tools such as those that overwrite the data multiple times before removal. All data on HPCVL system will be considered to be sensitive data.

3.6 Software Integrity

To prevent infection from computing viruses or worms, HPCVL staff must not use any externally provided software from anyone other than known and trusted suppliers. The only exception to this is software that has been tested and approved by the Director or designate.The system administrators will ensure the integrity of the operating software and system data on HPCVL machines on a regular basis. Modifications to the system configuration or software will be noted.

3.7 System Logs Retention

All HPCVL computerized journals and logs containing relevant system activities will be retained for three (3) years. During this period, these files cannot be modified and can be read only by authorized HPCVL personnel.

Information describing all reported information security problems and violations will be retained for a period of seven (7) years.

The retention period can be extended if the material might be required for an imminent legal action.

The HPCVL system administrators will maintain a systematic process for the recording, retention, and destruction of sensitive data and accompanying logs for the purpose of auditing or investigation.

Time synchronization will be applied to all HPCVL servers.

3.8 Additional Security Prohibitions for HPCVL Staff

System administrators will not use their privileges to examine the private information of other users except in the course of resolving problems and where access to such information is necessary.

When private information must be examined because of situations not related to the normal maintenance performed by system administrators, the Director of HPCVL will be informed of the activity to ensure that all HPCVL, Provincial, and Federal policies are taken into account during the examination of such information.

Under no circumstances will HPCVL staff share account passwords, key combinations, alarm codes, keys, access cards or any other access control mechanism for any HPCVL-owned resource or facility with any individual in a manner inconsistent with the policies established by their supervisor. In the absence of such policies, employees must have the explicit permission of their supervisor to share any access mechanism to any HPCVL resource.

HPCVL staff may not remove resources (hardware, software, documentation, etc.) from HPCVL facilities without the explicit permission of their supervisor. In all cases the supervisor shall be notified of the movement and shall update the employee's inventory record accordingly.

HPCVL staff may not load any software onto their workstations or HPCVL's multi-user servers, which has not been purchased or is not free. Software identified as "shareware" will be examined carefully to ensure that HPCVL is in compliance with any requirements regarding corporate usage. However, under no circumstances will software binaries from unknown or illegal sources be placed on HPCVL workstations or servers. This regulation also applies to HPCVL machines not located in HPCVL facilities.

HPCVL reserves the right to audit HPCVL workstations and servers without warning for the purpose of verifying software licensing compliance.

HPCVL staff may not grant accounts to non-HPCVL users without the explicit permission of their supervisor.

No HPCVL staff member may run any program which extracts the data portion of network packets without the explicit permission of their respective director.

4.0 Violations Of This Policy

Employees and users who violate this policy may be subject to disciplinary action in accordance with HPCVL due process.

5.0 Related Documentation

The following HPCVL policies may be more appropriate for dealing with certain situations or may provide additional information when HPCVL enforces the provisions of this policy:

Please refer to your institutions own Policies for particulars.

  • Account Management Procedures
  • Copyright policies, IP policies (as governed or negotiated by contracts)
  • Computer ethics and code of conduct for each partner
  • Security Incident Response Procedures
  • Revocation of access policies.

Definition Of Terms

HPCVL staff: staff and/or designate working on any HPCVL project.