IMSS Internal Safe Computing Practices Policy
The objective of this policy is to ensure that Caltech accounts, data, and systems remain protected from disclosure or disruption in a remote, hybrid, or office-only working mode. Key components of this goal are:
- To use safe computing practices when using Caltech accounts (especially those that confer high system privileges), and
- To access Caltech data on securely managed computing equipment.
Caltech systems and data should be accessed from Caltech-owned systems. Some exceptions are described below – but the majority of IMSS work should be performed solely on Caltech-owned systems managed by the IMSS Managed Computing service, or, with the authorization of the supervisor, managed by the employee in compliance with secure computing guidelines set below.
This policy applies to all IMSS personnel. Exceptions must be expressly approved in writing by your supervisor, and by Information Security. Failure to adhere to this policy may result in disciplinary action, up to and including separation from the Institute. Some groups may have additional requirements over and above those specified here.
What is a workstation? For the purposes of this document, a workstation is the computer from which you conduct Caltech work, excluding simply reading email.
Permission to self-manage a workstation, rather than using the IMSS Managed Computing service, must be explicitly granted by your supervisor at their discretion. If you manage your own workstation, you take on responsibility on behalf of IMSS and the Institute for the security of that system, and for its effect on the security of the systems you access from it. You must perform this function according to the secure computing guidelines set forth here.
- Security updates to operating systems and applications (including browsers and browser plugins) must be applied within a month of release, and within 24 hours in the case of updates that address high-priority vulnerabilities, as designated by Information Security or your supervisor.
- Remote network services, if enabled, must be limited to campus only and/or specific IP addresses. Services other than Remote Desktop, SSH, and Apple Remote Desktop must be explicitly approved by your supervisor.
- Software firewalls must be enabled and set to disallow all inbound traffic (i.e., traffic originating externally). The exception to this is approved remote access services, such as RDP, SSH, or Apple Remote Desktop, which should be subject to the above IP range restrictions, and configured in a secure manner. If it is necessary to run other services from a workstation, approval must be obtained from your supervisor and Information Security.
- Remote workstation login should use Duo two-factor authentication where possible. Use passphrase-protected SSH keys for additional authentication protection. See /services/security/it-staff/deploying-mfa for help on protecting remote access with Duo.
- Logging must be configured to capture significant system events. At minimum, logging should capture:
- System and services startup/shutdown,
- Establishment of inbound network connections,
- Changes to system configuration,
- Log on attempts – successes and failures, and
- Account changes.
- Use an unprivileged account (i.e., one without admin or root privileges) for routine computing.
- All workstations should use Network Time Protocol (NTP) configured to a reliable source to keep system clocks accurate.
- Your Caltech workstation is assigned for your use for Caltech business. It may not be used by any other persons. However, incidental personal use of your own that does not put the security of Caltech's computing resources, data or accounts at risk is permitted.
- Caltech-owned Windows workstations should be connected to Caltech's domain.
- All Caltech workstations should use Caltech's Box environment, OneDrive, or IMSS-managed network file servers for Caltech work product documents or data files created. Any documents or data files that must remain local must be backed up to one of the previously mentioned environments on a periodic basis, no less than every two weeks.
- For Caltech-owned Mac computers, employees should set up a separate Apple ID specific for Caltech work. Passwords to this account should comply with strong password specifications (see https://help.duo.com/s/article/5909?language=en_US.)
- Your access.caltech password must be unique. Do not reuse this password on any other systems or services, either at Caltech or elsewhere. Any other Caltech account passwords should also be unique.
- Passwords assigned to individual user accounts must not be shared. Never give out the password for your account on any Caltech system or service to anyone, for any reason.
- Don't save individual or privileged account passwords within applications or your browser. Use a password management utility if needed.
- When there is any doubt about whether a password may have been exposed, change it. If you note any anomalies with your account that may indicate your password or computer has been compromised, report it to Information Security immediately.
- Set a password-protected screensaver to start after a maximum of 15 minutes idle time. For desktop workstations in a physically secured area, 30 minutes idle time may be configured.
- Mobile computers should never be unattended when not at your Caltech desk or home unless they are placed in a secure area. If you need to transport a mobile computer and leave it in your vehicle for a period of time, lock the computer in the trunk or other non visible place – do not leave it in the passenger area.
- Where possible, full disk encryption must be enabled on mobile computers. Performance degradation due to full disk encryption is very unlikely for Windows and Mac systems. If you are using another operating system and do encounter performance degradation due to full disk encryption, consult with the Information Security team. Encryption keys should be escrowed with the Help Desk.
- All IMSS computers must implement a strong password or biometric for account login.
- Only store sensitive Institute data (such as legally-protected personally identifiable information (PII), or health or financial information) in IMSS designated databases. If you must extract PII for a project, it must be stored on an IMSS-managed service in a location designated for that purpose. Check with your supervisor if there is any doubt.
- When using the Caltech VPN on a remote Caltech-owned computer, set the client to "Tunnel All." In particular, use VPN when connecting from a public network such as an airport, hotel, or coffee shop wireless network. Do not change DNS server setup – allow DHCP to specify the domain name servers.
- Don't open unexpected email attachments without antivirus scanning and confirming the contents with the sender.
- Don't click on links in email without confirming that the link points to the expected destination. Most email clients will show link information by hovering the mouse over the link before clicking, or via touch-and-hold in the case of touch-screen devices.
- When setting security questions, avoid giving responses that can be easily researched. For example, "Where did you first work?" may be easily findable via LinkedIn, or "mother's maiden name" via a genealogy site.
- Exercise extreme caution when installing new applications. Do you know exactly what this application does? Where did it come from? Are you sure it hasn't been tampered with?
- Trust your instincts. If it seems fishy, it probably is. If you have doubts, contact Information Security for consultation.
Use of Personal Computers
- IMSS employees may access Caltech email with their personal phones. Please be mindful of safe practices while using your phone as with other computing environments.
- If you need to read Caltech email, attend an online meeting, or use a communication tool (such as Slack) from a non-Caltech-owned device, that device must be a personal device used only by you, that you manage in a secure manner as above.
- If it becomes necessary to use a non-Caltech-owned device for other Caltech computing in an emergency:
- As above, use only devices that you manage in a secure manner, and
- Use that device solely as an emergency pass through to a secure Caltech-owned device.
- If, due to emergency circumstances, it becomes necessary to use a device you have not secured in order to assist with a Caltech emergency, use that device as a pass-through to a secure Caltech device and change your password as soon as possible from a secure device afterward.