From Beocat
Jump to: navigation, search
 
(4 intermediate revisions by the same user not shown)
Line 1: Line 1:
== Export Controlled Data on Beocat ==
== Export Controlled Data on Beocat ==


Export-controlled information housed on Beocat must be managed in accordance with these and relevant KSU guidelines. Export-controlled information that is received by or brought to KSU must be housed on a server designated for this purpose. Any exceptions must be explicitly approved by the Chief Information Security Officer, the Director of Export Compliance, and the Vice Provost for Research.
Export-controlled information housed on Beocat must be managed in accordance with these and relevant KSU guidelines. Export-controlled information that is received by or brought to KSU must be housed on a server designated for this purpose. Any exceptions must be explicitly approved by the Chief Information Security Officer, the Director of Export Compliance, and/or the Vice Provost for Research as appropriate.


== Guidelines ==
== Guidelines ==
Data subject to ITAR or EAR export control restrictions is referred to collectively below as Controlled Information.
Data subject to ITAR or EAR export control restrictions is referred to collectively below as Controlled Information. The following are typical guidelines and how Beocat addresses them.


=== Access controls ===
=== Access controls ===
#; Do not post Controlled Information on public websites or websites that rely solely on IP addresses for access control. Instead, secure access using individually-assigned accounts requiring username/password, user certificates, or other user-specific authentication methods.
#; Do not post Controlled Information on public websites or websites that rely solely on IP addresses for access control. Instead, secure access using individually-assigned accounts requiring username/password, user certificates, or other user-specific authentication methods.
#: All Beocat accounts are individually assigned requiring username/passwords This is done through K-State's eID system, using their account and password policies.
#: All Beocat accounts are individually assigned requiring username/passwords This is done through K-State's eID system, using their account and password policies. 2FA (e.g., Duo) is supported.
#
#
#; Protect Controlled Information by at least one physical or electronic barrier (e.g., locked container or room, login and password) when not under direct individual control.
#; Protect Controlled Information by at least one physical or electronic barrier (e.g., locked container or room, login and password) when not under direct individual control.
#: All Beocat accounts are protected by a username/password. Beocat physical servers are in locked data centers in Durland Hall and Nichols Hall.
#: All Beocat accounts are protected by a username/password. Beocat physical servers are in locked data centers in Durland Hall and Nichols Hall. Data center access is logged, and multiple CCTV security cameras are in use to monitor visitor activity.


=== System management ===
=== System management ===
#; Use regularly-updated malware protection software
#; Use regularly-updated malware protection software
#: What counts as malware protection software in Linux? Does this need to be on all headnodes, compute nodes, or all systems? What are the performance implications of such things?
#: Nesus is used for malware detection.
#
#
#; Keep computers hosting Controlled Information up to date on security patches and updates.
#; Keep computers hosting Controlled Information up to date on security patches and updates.

Latest revision as of 14:27, 29 March 2023

Export Controlled Data on Beocat

Export-controlled information housed on Beocat must be managed in accordance with these and relevant KSU guidelines. Export-controlled information that is received by or brought to KSU must be housed on a server designated for this purpose. Any exceptions must be explicitly approved by the Chief Information Security Officer, the Director of Export Compliance, and/or the Vice Provost for Research as appropriate.

Guidelines

Data subject to ITAR or EAR export control restrictions is referred to collectively below as Controlled Information. The following are typical guidelines and how Beocat addresses them.

Access controls

  1. Do not post Controlled Information on public websites or websites that rely solely on IP addresses for access control. Instead, secure access using individually-assigned accounts requiring username/password, user certificates, or other user-specific authentication methods.
    All Beocat accounts are individually assigned requiring username/passwords This is done through K-State's eID system, using their account and password policies. 2FA (e.g., Duo) is supported.
  2. Protect Controlled Information by at least one physical or electronic barrier (e.g., locked container or room, login and password) when not under direct individual control.
    All Beocat accounts are protected by a username/password. Beocat physical servers are in locked data centers in Durland Hall and Nichols Hall. Data center access is logged, and multiple CCTV security cameras are in use to monitor visitor activity.

System management

  1. Use regularly-updated malware protection software
    Nesus is used for malware detection.
  2. Keep computers hosting Controlled Information up to date on security patches and updates.
    We perform routine updates on our systems.
  3. All Controlled Information must be encrypted if stored on mobile computing devices such as laptops, PDA's and removable media such as thumb drives or CD/DVD. See additional notes below.
    All storage holding potentially sensitive information is encrypted using LUKS and/or encrypted using aes256.
  4. Wipe electronic media in accordance with NIST 800–88 Guidelines for Media Sanitization
    Electronic media is disposed of following K-State's policies on Media Sanitization and Disposal

Transmission of Data

  1. Do not transmit or email Controlled Information unencrypted. If encryption is not available, data must be individually encrypted using at least application-provided mechanisms such as the password-based encryption provided in Microsoft Office 2007 and above.
    All access to Beocat is encrypted.
  2. Provide monitoring and control over inbound and outbound network traffic. Block unauthorized ingress and egress.
    We monitor inbound and outbound traffic. Unauthorized ingress and egress is controlled via firewalls.
  3. Detect exfiltration of data using firewalls, router policies, intrusion prevention/detection systems, or host-based security services.
    We use firewalls to prevent exfiltration, and perform monitoring of logs from an Elastic Stack instance for intrusion detection and prevention. We run a Nessus agent on many user facing systems.
  4. Transfer controlled information only to subcontractors with a need to know. Subcontractors must adhere to these same data protection requirements. Include these data protection requirements, including this requirement, in all subcontracts if access to or generation of controlled data will take place.
    Information transfer to subcontractors is controlled by, and the responsibility of, the individual Beocat user.

Shared Systems

In such cases where the Controlled Information is a software executable that will be run on a shared (multi-user) system such as a compute cluster, the following additional guidelines apply:

  1. The directories containing the software shall be access controlled so that only its designated user(s) as approved by the PI will have read, write and execute permissions. All others shall have no access permissions.
    All Beocat user directories are access controlled so that only its designated user(s) as approved by the PI will have read, write and execute permissions. All others have no access permissions. Any exceptions require prior written approval by the appropriate authorities.
  2. The shared system shall be managed solely by U.S. Persons, as defined in the export regulations. All users with root or sudo privileges must be U.S. Persons.
    All Beocat staff and those with root/sudo privileges are U.S. Persons.
  3. Only U.S. Persons shall have unescorted physical access to the shared system.
    Visitors to the Engineering and Nichols Data Centers are required to be escorted.