6/4/93 ---NCSA SECURITY POLICIES AND PROCEDURES--- PURPOSE The purpose of this document is to define NCSA security policies and processes. This document will also provide the methods for their definition and implementation, assign responsible management, and establish mechanisms for their review and resolution of any conflicts or incidents. It is intended both as an internal policy statement and definition of responsibility, as well as a description of security level definitions and mechanisms of interaction with the policy and procedure generation process for Industrial partners and academic users. In general, detailed procedures to implement and assure security compliance are not distributed with this document. However, those procedures which impact users and collaborators' day-to-day operation and interaction with NCSA are included here. INTRODUCTION NCSA supports a variety of computing systems, services, and development projects for a set of national academic and industrial users. It is the responsibility of any organization to protect its assets and those of its staff and clients or collaborators from injury, theft, or unauthorized use. For the NCSA environment, this can be broken down into a number of areas: * Personal Security of Staff and Possessions This involves the personal safety of people (including staff, partners, collaborators, and visitors) while working at any of the NCSA sites, including their movements to and from transportation. Also included are considerations for the protection of their personal possessions at all times. * Physical Security of Property The buildings, equipment, and records of the organization require protection from fire, theft, and unauthorized use. This area overlaps several of the others listed here. * Intellectual Property This encompasses ideas, methods and scientific results which may be said to belong, either formally or informally, to an individual or organization. This applies to staff as well as to academic and corporate researchers and organizations. It may be as simple or informal as the acknowledgement of publication rights to an original idea, or as formal as the handling of licenses or patents for equipment, software, or methods. * Non-Disclosure Material This is a special class of intellectual property, that requires a more formal treatment by NCSA's Industrial and Strategic Partners. It includes information or objects which are given to individuals for the purpose of better carrying out their tasks, but for which the "owner" explicitly does not want any further distribution to other individuals or for other purposes than that originally granted. * Computing System Security This includes the management of the computing systems and networks in such a way as to protect against use by unauthorized individuals, as well as to protect intellectual property (text, software, and data) that may be stored or processed by those systems. Due to both the nature of these activities and the needs of its clients and collaborators, it is necessary to provide a level of security to protect the capital investment in equipment, the personal possessions of staff and users, and the intellectual property, data and presentation materials associated with the supported research projects. One component of the NCSA mission is to further the state of computational science and engineering and its application to a variety of academic and industrial applications. This brings to NCSA a number of academic and industrial clients which require system solutions and services in order to solve problems of a highly proprietary and confidential nature. However, a very successful strategy in achieving this mission is to create teams of application scientists, computer scientists, programmers, and vendors which are able to quickly achieve hardware and software systems capable of solving new problems. This can be likened to the creation of a network of people in parallel with a network of computing systems. This environment can function most effectively with an open interchange of problems, ideas, and scientific results, which in general, implies an easy access to people, data, and those ideas and results. Such a strategy does not easily adapt to formal security mechanisms, and it is this tension between open and secure environments that NCSA and this document attempt to address and balance. POLICY The basic policy and approach to security issues is that a set of mechanisms are provided to the users and staff to protect personal and proprietary materials, data, and ideas, and that those mechanisms and their implied levels of security are documented and understood by NCSA staff. NCSA policies will not require or mandate the sharing or distribution of any material, but will provide mechanisms by which an individual or group may define appropriate protection of that material. It is left to the individual's discretion to employ available mechanisms to protect sensitive information. It is the further intent not to provide an arbitrarily high level of security because to do so would remove all or much of that personal discretion in security mechanism use, to the detriment of many of the collaborative programs which have proven successful. Finally, in cases in which NCSA, other University personnel or visitors are intentionally exposed to sensitive or proprietary material, it is the responsibility of the owner of that material to make it clearly known, in writing and before the exposure, of the nature of the material and the limitations on its distribution. This guideline is applied to various administrative and technical procedures across Center activities, including physical security, computing systems and operations, networking, visualization, applications software, contracts, financial and system usage records, etc. The following sections define how these procedures and policies specific to particular working areas and groups are defined and implemented. OVERALL POLICY DECISION The NCSA Executive Council, made up of the Director, Deputy Director and Associate Directors, will have the responsibility of setting policies associated with security. Providing security never comes without a certain cost, whether in dollars, equipment, or human resources. The implementation of security mechanisms in one area usually has consequences for another area or group. The Executive Council is made up of representatives of all the operational areas of NCSA, and its members are charged with implementing the security levels defined. Mechanisms exist to request changes in procedures based on these policies. These will be discussed later in the document. DOCUMENTATION This document outlines the policies and procedures for security at NCSA. The intent is to provide necessary information in this document to allow individual users and groups to make decisions related to types of work performed using NCSA resources. Some specific procedures and security monitoring details will not be documented here, since in some cases, distribution of this type of information can reduce the effectiveness of those procedures and reduce the overall level of security. The Security Officer may provide additional information on procedures and security levels on an individual need to know basis. MONITORING AND REPORTING As part of the security assurance program (discussed in more detail in later sections and appendixes of this document) NCSA will, under the direction of the Security Officer, routinely monitor system and administrative activity related to security and the overall compliance of NCSA staff with the established policies and procedures. Regular reports regarding issues of security at NCSA will be provided to the Executive Council. PROCEDURES The Associate Director for a given area requiring security policy and procedure definition will be responsible for the definition of specific policies and procedures to address that area. These will, in general, be assembled as a document which may be reviewed by the Security Officer (described in Assurance Section below), Executive Council, as well as by the staff responsible for carrying out the specific procedures. In cases in which a working area may span multiple working groups and Associate Directors, the AD's will work together or specify a single person responsible for carrying out this definition. Documentation of these implemented procedures may be made part of this document at the discretion of the Security Officer. Associate Directors will also participate in internal and external security reviews or audits in order to analyze, justify and revise current policies and operating procedures as they apply to those groups. Associate Directors are also responsible for establishing a reporting line within the groups that ensures that security violations or potential violations are brought to the attention of the Associate Director as quickly as possible. A security incident is any action which violates documented procedures or that compromises or has the potential to compromise proprietary or otherwise sensitive information. It is the responsibility of any staff member aware of such a situation, to report it within 24 hours to the appropriate Associate Director and the Security Officer. The Associate Director will then investigate the incident, and prepare written descriptions and corrective actions which will, even if in preliminary form, be distributed to the affected parties by the next working day following the reporting of the incident. Any overall policy issues brought into question by an incident, as well as recommendations for significant changes to existing procedures will be brought to the attention of the Security Officer and Executive Council. TECHNICAL STATEMENTS Policy and procedure details are inserted in this section covering the major operational areas of NCSA. These areas include Computing and Communications, Software Tools, Applications, Academic and Industrial Relations, Finance and Contract Administration, Human Resources & Administrative Services, Scientific Communications & Media Services, Logistical Infrastructure, and the Industrial Program. MODIFICATIONS The Security Officer (defined in Assurance Section below) will be responsible for coordinating changes to established procedures. Requests for changes in procedures will be passed through the Security Officer, and that person will respond to feasibility and costs of changing the procedure. All internal changes in procedures will be signed off by the Security Officer. Modifications to overall policy and the impact of particular procedures on such policy, is the domain of the Executive Council. Changes to the policy may be requested through the Security Officer and will be addressed to the Executive Council. AWARENESS NCSA recognizes that the security policies and procedures are of value only when the staff are made aware of both the procedures themselves as well as the reasons that make them necessary. Reaching the appropriate state of staff awareness is a continual process of education and review and spans the organization at all levels. First, each staff member will be provided with a copy of the NCSA Security Policy and Procedures document. Its basic features and detailed procedures for the person's particular area will be reviewed by his or her manager during the first week of employment. A staff training program will be developed internally, in conjunction with the Security Officer, Industrial Program Security Liaison, System Security Specialist, and Associate Directors, that will at least bi-annually, present a review of security policies and considerations. All new hires, including management, technical and clerical personnel, will be expected to attend the first available training session following their first day of employment. This training will include presentations and discussions of the reason for implementing security, the policies and procedures document, review processes, and guidelines for daily activities for dealing with proprietary or confidential information. Second, each working group will engage in a review of policies and procedures pertaining to that group's activities, at least twice per year in conjunction with the Center wide internal review of those procedures. Care will be taken to perform this review in an environment and manner that promotes contributions from the staff and makes them part of the effort of defining the procedures and proper levels of security. The Associate Director (see below) will insure that these reviews are completed, generate recommendations if needed, and file a report with the Security Officer. Many individual procedures established will have the capacity to carry outward, visible signs. Such outward, visible signs are useful in providing regular feedback to staff on the importance of security in general. Staff will be encouraged to make use of this mechanism to maintain a level of security awareness. Managers will consider security procedure compliance as part of regular staff performance evaluations. In addition, the manager will conduct an exit interview with a departing staff member prior to the staff member's final working day at NCSA. This interview will cover, among other things, a review of the non-disclosure agreements in effect for that person. A discussion of the personal effects of the staff member will be made to attempt to identify any proprietary materials that may be among them and guard against such material leaving NCSA with the person. Finally, staff will be encouraged to treat with respect the personal and intellectual property of others, as well as the people assigned the responsibility of maintaining that property, including Industrial Partner representatives, University guards, etc. Such respect is reflected in action by such things as knocking on doors before entering, using someone else's personal computer or workstation only with permission, responding willingly to a guard's challenge, etc. ASSURANCE The program of defining and implementing appropriate security levels requires a continual process of confirming that both the defined policies and procedures are adequate for the ongoing work of the center, and that those policies and procedures are being properly carried out and communicated to the staff and users. NCSA provides such assurances through a number of organizational and operational facets. SECURITY OFFICER First, NCSA will maintain a position of Security Officer, who shall report to the Deputy Director. The individual filling this position will have responsibility for overseeing and coordinating the security program. This person will review all Associate Director defined policy and procedures documents with the intent of ensuring that all conform to NCSA-wide standards and policy. This office will maintain all operative documents including this document and all area definitions of procedures, and will distribute them as appropriate. All external reviews of center wide policies and procedures will be coordinated through this office. Internal reviews and responses to these external reviews will be coordinated and archived. This individual will be authorized to make spot checks of group or individual activities to check on compliance of the established procedures. Regular reports of staff compliance and problem areas will be generated, on at least a quarterly basis, and relayed to the Deputy Director. This office will be the first point of contact for any request for clarification of NCSA policy and procedures. Finally, the Security Officer will be responsible for coordinating any resolution of incidents related to violations of standing procedures and/or individual incidents resulting in the exposure or potential exposure of proprietary or sensitive information, and will coordinate all correspondence between affected staff and users related to such incidents. INDUSTRIAL PROGRAM SECURITY LIAISON NCSA will designate an individual as Security Liaison for the Industrial Partners who will report to the Associate Director of the Academic and Industrial Relations Program. This person will work with the Security Officer in both establishing procedures and resolving incidents related to Industrial Partner activities and interests. The Security Liaison will represent partner security interests during policy evaluation and represent NCSA policy and procedures to the partners. SYSTEM SECURITY SPECIALIST The NCSA System Security Specialist will be responsibility for coordinating security implementation on the various computers and networks that NCSA supports. This person will, in consultation with users and partners, define system security requirements, participate in the determination of policies and procedures, and produce appropriate documentation. The Specialist will perform periodic reviews of NCSA system security journals and records, and take a lead role in external system security audits and reviews. This person will be notified in the event of any system security related incident, and will work with the NCSA Security Officer and appropriate system administration personnel to resolve and report the incident. The System Security Specialist will also be responsible for identifying future system requirements for distributed computing and data security, and assist in the planning and implementation of software and hardware solutions. STAFF RESPONSIBILITY Each working area (see Appendices) will have an Associate Director (AD) as well as an individual staff member or members responsible for carrying out certain details of the policies and procedures for that area. For each area, it is the Associate Director's responsibility to see that the detailed procedures section is maintained and followed in the daily activities of the staff in that area. It is that AD's further responsibility to respond to requests for information from his or her staff on specific procedures and interpretation of security policy. It is the responsibility of each staff member to follow the procedures defined for an area in which he or she is engaged. It is also their responsibility to understand the underlying policies which drive those detailed procedures, so that the individual is able to make rational decisions in certain situations not specifically covered by the detailed procedures. However, in the latter case, a further responsibility exists to report the situation and have procedures clarified for future reference by other staff. Each staff member is expected to report any known or suspected violations of security procedures, or any exposure of known sensitive or proprietary material to unauthorized personnel. This report may be to the Associate Director representing that staff member or to the Security Officer. In all cases, the Security Officer and relevant Associate Director must be informed within 24 hours of the incident in order to provide a timely analysis of and coordinated response to the situation. Finally, owners of sensitive material who wish, in the course of a collaborative project, to impose limits on the distribution of that material, must provide to those collaborators a written description of the material and the limits on distribution imposed. NCSA provides, in association with University legal counsel, a non-disclosure agreement for such cases. REVIEWS The Security Officer will coordinate both internal and external reviews of NCSA security policies and procedures. Internal reviews will be conducted with the Associate Directors and Executive Council participation at least twice yearly. One of these biannual reviews will be in conjunction with an external review conducted by individuals not in the employ of NCSA. The Security Officer, in consultation with the Executive Council, will be responsible for selecting an appropriate review panel for conducting the external review. Such external review will be charged with an assessment of the levels of security provided by NCSA policy and procedures, the success of the defined detailed procedures in meeting the broader policy objectives, and a recommendation on any security holes or procedures that require implementation to maintain the stated policy objectives. Following the annual external review, the Security Officer will initiate an internal review of the findings and recommendations of such review, and allow for changes in the established procedures. A summary of the external review findings and actions taken will then be made available to all users and partners. ---Appendix 1. Logistical Infrastructure--- NCSA Facilities Physical Security The integrity and protection of proprietary material and ideas must be treated accordingly by staff members independent of time, situation and location. However, the implementation of physical and system security may be dependent upon physical location. These differences are documented below. NCSA will treat its various facilities via a hierarchical approach. The most secure NCSA systems and network connections will be housed in the Advanced Computation Building (ACB). This building contains the large scale supercomputers, the mass storage system and data, along with the systems and other communications handling hardware and network connections to the industrial partners. The ACB has the highest degree of physical security, with some office space for support personnel, but no unescorted access or general accessibility by other staff or users. The outside doors of the building remain locked at all times. Access to the computer rooms is limited, and to gain access to the computer rooms one must pass through at least two locked set of doors. NCSA Computing and Communications staff use closed circuit TV to observe visitors, as well as an intercom to speak with them prior to the opening of the outside ACB door. NCSA is the only inhabitant of this building and access to the building is controlled by NCSA staff and other types of direct access to the building is limited to trusted University of Illinois staff. The ACB was constructed in 1970 to house the then expected ILLIAC IV supercomputer. The building which consists of three floors of approximately 8000 gsf per floor is a steel and reinforced concrete structure with poured concrete floors and solid exterior masonry walls. The building's structural system extends through to the roof which in turn provides the platform for extensive mechanical equipment. The second and third floor construction is capable of supporting the present and all future proposed computer systems. The interior floor to ceiling height at all levels is adequate to provide for the installation of both raised floors and above ceiling mechanical ductwork. The next most secure area is the Computing Applications Building (CAB). The CAB is managed by and houses NCSA personnel and most Industrial Partner personnel. Access to the facility is controlled through the locking of all doors except the north, front entrance by the receptionist area during normal hours. All outside doors of the building are locked at all other times. The CAB is equipped with combination locks on some of the outside doors to facilitate the handing of visitors and minimize the distribution of physical outside door keys. The combinations are changed periodically and distributed on a need to know basis. The CAB has many areas designated for the handling of sensitive material, including the industrial partner offices, visualization and media services development areas. Access to the facility is controlled by NCSA staff and other types of direct access to the building is limited to only trusted University of Illinois staff. The next most secure area is the Beckman Institute for Advanced Science and Technology (BI), of which NCSA is one of many research group occupants. This building and its associated programs were designed to support a variety of interdisciplinary projects, and to foster an open, academic environment. The BI houses many NCSA staff involved in administration, research, applications, and software development activities, as well as NCSA's Numerical Laboratory (NL) and Renaissance Experimental Laboratory (REL) which supports those activities. The building is patrolled by campus security forces, and they are stationed directly in the facility to respond to any given situation. The facility utilizes an ingress electronic security system to monitor and control after hours access to the building. Security forces also use closed circuit television cameras to monitor the building's ingress/egress pathways. Although NCSA has taken extra precautions with some areas (e.g. the NL and the REL key access and home run ethernet networks and limited key distribution for partner offices), it is necessary to integrate computer and network systems, as well as physical access with the BI's support and administrative staff. NCSA workstations and peripheral devices installed in public areas within the BI are secured through the use of fiber optic security systems. These systems enunciate security transgressions via audible and visual alarms monitored by campus security forces. NCSA has also installed an ingress/egress electronic security system throughout the NL and the REL which is compatible with the security system used by the BI. This system enables NCSA to closely monitor and control access to these facilities, as well as immediately detect and respond to any type of physical security transgression within those areas. This system also enunciates security transgressions via audible and visual alarms monitored by NCSA staff and/or campus security forces. NCSA's assigned space within the BI is controlled by NCSA staff, and other types of direct access to NCSA facilities within the BI is limited to only trusted University of Illinois staff. Finally, NCSA staff occupy all of the Oil Chemistry Building (OCB). Generally, no client and/or user activities are scheduled in either the OCB without prior special consideration. ---Appendix 2. Computing and Communications--- Network Security There are basically two main categories of concern for the network connection between an Industrial Partner and NCSA. They are: 1) types of network traffic or services to be allowed, and in what direction these will be allowed, and 2) physical security of the network media (e.g. ethernet coax cable, fiber optics, etc.). Furthermore there are three main types of networks that data may traverse while using NCSA: 1) The wide area network (WAN) connection which includes any telecommunications circuits (e.g. T1) terminating in NCSA and at the remote partner site and the subnets within the Advanced Computation Building (ACB) which connect the T1 to the Supercomputera and the Mass Storage System. In some cases, the partner uses the Internet, a public research data network, for NCSA access. 2) The NCSA inter-building fiber optic backbone network between the ACB, the Computing Applications Building (CAB), and the Beckman Institute (BI). Partner offices are located in both CAB and BI. 3) The "homerun" ethernet or FDDI local area network in an industrial partner's office in the CAB and/or the BI. WAN Connection at the Advanced Computation Building Network Traffic Type/Access Security: The types of traffic or network services that most Industrial Partners are concerned with from a security standpoint, are file transfers (ftp) and interactive sessions (telnet); in particular those that are initiated from NCSA, or any other site, back to the Industrial Partner's remote site. Because of these very valid concerns the remote connections to NCSA are usually set up to allow these services ONLY if they are initiated at the industrial partner's remote site. In cases where the Internet is used for partner connectivity, all security arrangements are done at the partner site and are handled by the partner and the Internet service provider. In these cases, NCSA is only involved in security issues relating to NCSA's inter-building network and the partner's office LAN. Decisions regarding how the security is defined is a partner decision made prior to the time of connectivity. If these services are initiated at NCSA, or any site other than the Partner's own remote site, the traffic is not allowed to pass over the network, depending upon the partner's decision. This is called filtering and is implemented in the routers that control the link (T1) from NCSA to the Industrial Partner's remote site. Filtering can be employed by partners at their sites if the Internet is used for connectivity to NCSA, but cannot be implemented at the NCSA connection to the Internet. For specific example, if an Industrial Partner researcher attempts to connect to NCSA via the network between the Industrial Partner's remote site and NCSA, the connection would be allowed to pass through the routers along the way because the routers which make up the network are set up to trust these services if initiated from the Industrial Partner's network to NCSA. On the other hand if an individual at the University of Illinois had knowledge of the network address of a machine at an Industrial Partner's remote site, and attempted to connect to that machine, the connection request and any subsequent requests or data packets would not be forwarded to the WAN circuit between NCSA and the Industrial Partner's remote site. The packets would be filtered out by the router at this end of the circuit. To provide redundancy, the router at the Industrial Partner end of the T1 can be set to do the same type of filtering. The network(s) that should be allowed or denied access to the remote site must be specified by that respective partner prior to the time of connectivity. Network Media Physical Security: All partner WAN circuits terminate in secure machine rooms in the ACB except those that use the Internet for connectivity. These rooms house the supercomputer systems and the Mass Storage System. The ACB is staffed 24 hours a day, 365 days a year. The doors to the machine rooms and the outside doors to the ACB remains locked at all times. Critical areas outside the machine rooms are monitored via closed circuit TV. Once each shift the NCSA Central Facility staff checks the integrity of the motor generator rooms, penthouse, and stairwell areas. University police patrol the area around the ACB on a regular basis. Lastly, staff patrol the machine rooms at least once per eight hour shift. Security of the circuits and access to those circuits (T1, etc) between the NCSA terminal block and the remote partner site terminal block is an issue to be discussed between the long distance telecommunications carrier and the Industrial Partner. NCSA has no access or control over the circuit beyond the physical terminal block in the NCSA machine rooms. It is the Industrial Partner's responsibility to initiate any security concerns with the telecommunications carrier(s). The purchase of any type of communications encryption equipment for use in the partner's circuit(s), if desired, is the sole responsibility of the partner. NCSA Inter-building Backbone Network Network Traffic Type/Access Security: The NCSA network that connects the CAB, the BI, and the ACB is the production FDDI ring. Only routers are allowed on the FDDI backbone, and access to these routers is both physically restricted to NCSA staff and restricted from a network software access standpoint. Separate FDDI rings are provided for personal workstations that require FDDI access in each NCSA facility. Network traffic type and access are not an issue on the backbone; all network traffic must be allowed access to the backbone. The type of network traffic that is carried over the backbone is not a security threat. The main security concerns are protection of the backbone traffic from obtrusive and/or non obtrusive tapping. This issue is discussed below. Network Media Physical Security: The FDDI ring that runs between the ACB, the BI, and the CAB is a dual counter rotating fiber ring made up of 4 separate strands of multi-mode fiber. The fiber for the FDDI ring runs underground between buildings and is in conduit or locked machine/router rooms within those buildings. Besides the physical security of the network media itself there are inherent characteristics of the fiber that make tapping of the production FDDI ring difficult. Fiber does not radiate electrical signals as does copper. This prevents non-intrusive tapping. Intrusive tapping would require accessing the fiber, correctly identifying the matching transmit and receive fiber strands, completely severing the fiber and installing the special fiber connectors; a complex and time consuming process. As the networks are monitored continuously, any outage would be immediately detected and investigated. Furthermore, if an intrusive tap were installed, the FDDI nodes on either side of the "new" node would indicate a new upstream and down stream neighbor making the new node easy to detect and locate. Industrial Partner's Office(s) Homerun Ethernet in the CAB and/or the BI Network Traffic Type/Access Security: The same types of access controls for network traffic type and direction that are applied to the WAN connection can be applied to the secure LAN (Ethernet or FDDI, for example) between the inter-building backbone and the local partner office(s). There is one router in the CAB and one router in the BI marked as a point at which access controls can be implemented. These routers are the beginning of the secure LAN(s), the other end is in the partner's office(s). Within the access router, network traffic/type and direction access controls (filtering) are implemented. The Industrial Partner must decide what type of access is required to and from this subnet. The only machines on this subnet are the ones in the Industrial Partner's office. The term "attempt to connect" is used to indicate that filtering will determine whether or not a specific type of traffic will be allowed on to the subnet. A person obviously would still require a valid account and password to actually sign onto a machine, if their traffic was allowed onto the subnet by the router. Some of the questions that need to be answered are: * Should a machine in the Industrial partner's office(s) at NCSA be able to attempt to connect to a machine back at their remote site? * Should a machine in the Industrial partner's office(s) at NCSA be able to attempt to connect to a machine on the campus or on the Internet? * Should a machine on the Internet be able to attempt to connect to a machine in the Industrial partner's office(s) at NCSA? These access controls can be implemented on a host by host basis (the particular host can connect to this particular host and initiate these services), or on a network to network basis (the machines on network A can connect to the machines on network B and initiate these services), or they can be mixed, a particular host to network. As indicated earlier, all Industrial Partner filtering is set up at the time of installation based upon the specifications of the Industrial Partner. Partners can request changes to the filtering as desired. Network Media Physical Security: The coax cable for the secure ethernets run directly from the network equipment rooms in the BI and the CAB to the Industrial Partner offices. The coax is run above a false ceiling, in conduit/raceways, or in locked rooms between the office and equipment rooms. The only machines connected to this coax are the ones in the Industrial Partner's office(s) and the NCSA backbone network router. The network equipment rooms are locked at all times and access is limited to authorized NCSA personnel. (A limited number of the BI network operation personnel do have access to the router rooms in the BI). All the exterior doors to the CAB are locked at 5:00 pm. Please see Appendix 1 for details regarding NCSA facilities physical security. All of the exterior doors to the BI are equipped with key card access controls that record who entered the building, where they entered, and when. The system is activated after normal business hours. There is also a 24 hour guard service in the BI. NCSA personnel are not allowed into the Industrial Partner's offices in the CAB, unless given permission and/or escorted or unless specifically requested by a partner. NCSA personnel do not have keys to these offices. Key access for the offices in the BI is limited to the partner and to the BI administrative staff. Additional Physical Security Information Concerning the BI: The ethernet coax is in conduit where the homerun ethernets run down the hallway under the floor to the Industrial Partner's offices. Staff and partners should also be aware that the BI was built with common floors and ceilings throughout (with the exception of load bearing walls). Above the suspended ceiling tiles, there is approximately 6 feet of space from the top of the walls to the ceiling. Under the raised floor, there is approximately 6 inches of space between the floor and the raised floor. Operating System Security NCSA users have access to over 450 computers, which range from the supercomputing Crays which are accessed by over 4000 users from all over the world to MACs and PCs which are located in individual NCSA offices. There are two levels of computing security on which NCSA has focused. These are 1) operating system security and 2) user data security. While these two levels may be seen as having distinct boundaries between the users' and NCSA staff's responsibilities, both NCSA and its user communities must work together to ensure a secure environment for all. The security of NCSA computing systems has been designed to enhance the collaborative effort of those scientists who chose to work in the NCSA intellectual environment. NCSA policy is that the user should make the decisions regarding data sharing and has provided tools and instruction to its users to enable them to do so. Users are encouraged to make an effort to secure the integrity of their own data. To assist, common sense rules with low user impact are those which are proposed to the user community so that the compliance will be high and the efforts not wasted. NCSA administration staff run security checks on items which are strictly under control of the user. The security for the operating system environment is shared by the vendors of NCSA operating systems and the system administration staff of NCSA for those systems managed by the Computing and Communications (C&C) staff. Individuals may choose to maintain and provide security on their own systems at their discretion. In order to better understand operating system security activities and procedures, the types of computers this encompasses are listed below: *Cray-2, Cray Y-MP supercomputers *TMC CM-5, CM-2, and Convex 3840 supercomputers *Mass storage system linked to Crays via high speed networks *Tape i/o system *Local Area Network File Servers (general purpose) *Group File Servers (specific to groups)** *Numerical Lab computers -Individual UNIX computers in public rooms -Renaissance Experimental Laboratory (REL) computers *Individual Unix workstations** *Individual Apple workstations** ** Indicates systems which may be managed by individuals besides C&C. System administration on these systems is determined by the primary user of the system. NCSA staff systems may be managed by the C&C system administration staff, by C&C system administration staff and the NCSA staff member jointly, or by the NCSA staff member alone. Systems having industrial users are explicitly managed by C&C system administration staff, unless specifically managed by an Industrial Partner's designee. For example, an Industrial Consultant for an Industrial Partner may manage that partner's system(s) within that partner's office(s) if requested by that Industrial Partner. The operating system security goals are threefold: to prevent access to the systems by unauthorized users, to prevent users with valid logins from unauthorized data access, and to prevent errors by those authorized to make system level changes. The rest of this section focuses on the security function rather than on specific machines since in most cases the tasks are similar for all NCSA computers. Exceptions to these are noted in the following discussion. Production machines refer to computers that are used by both NCSA academic and industrial users and are administered by C&C. Physical security The Cray Y-MP, Cray-2, TMC CM-5, CM-2, Convex 3840 tape i/o system, and the mass storage system are located in secure machine rooms. Unescorted access to the machine rooms is limited to only vital system administration, operation, facilities management, and authorized vendor support personnel and access to the outer rooms is also limited in this fashion. These rooms are staffed 24 hours a day. All doors on these floors are locked at all times. The access door is also monitored via closed circuit television. The Local Area Network File Servers are located in designated computer rooms. These rooms are locked with controlled access. Access lists are kept for these rooms. The Numerical Lab computers are located in rooms in the Beckman Institute. These rooms are locked with controlled access limited to authorized staff. Access lists are also kept for these rooms. Individual workstations are subject to the physical security of the user's offices. This is an area in which the users control physical access to their machine. Account security User accounts are created with limited access permissions. New accounts are issued with secure passwords (minimum of six characters and possesses at least one non-alphabetic character, and contains no common words found in the English language). Users are encouraged to set a new password during the initial login. Password security after this point is totally under the user's control. System administrative accounts are maintained with strict permissions. Passwords to these accounts are changed frequently. Access to system accounts is monitored on an ongoing basis. Accounts that are no longer authorized are deactivated when notification from NCSA Client Administration is received. File system security All system files are protected from user modification and are checked periodically for modifications. All privileged programs are monitored for use or for unauthorized changes. Common operator activities requiring privileges are performed via menus to log activity, to prevent user errors, and to limit access to privileged system accounts. Network Issues C&C managed file systems are exported only to systems located on NCSA managed networks, except under rare circumstances where extensive investigations have proved that security transgression(s) should not occur. NCSA continues to study the enhanced disk capability available with NFS mounted file systems in light of system security needs. Data integrity (backups) Backups are performed periodically on all production systems. These backups are done to ensure data integrity in the event of hardware failures. General scratch and tmp areas on the disks are not backed up since these data areas are very large and are considered as temporary storage space only. Users are responsible for migrating their data files to the mass storage system, from which regular system backups provide media protection. Backups are tested for readability once a month. Backup tapes are stored in alternate secure areas in other NCSA facilities. System Administration Security Monitoring Security is a very complex issue. While certain tasks can be automated, the basic level of security must come from those administrators who, as part of their training and job responsibilities understand their respective systems. The number of administrators and the time spent on system security varies with each machine. NCSA's approach when possible security problems arise is to gather as much data as possible regarding a possible security problem without compromising system or data security. ---Appendix 3. Software Development Group--- SDG Project Security Procedures This appendix describes the Software Development Group (SDG) procedures and policies, first as they specifically relate to projects involving confidential information and participation by NCSA industrial partner representatives and then as they relate to more general security concerns. In working with NCSA industrial partners, the following security procedures are followed in SDG activities. General description of SDG activities with industrial partners SDG activities with industrial partners involve various meetings where partner research might be discussed, projects in which partner research data may be transferred to the NCSA computing environment to be processed, projects in which partner proprietary software may be transferred to the NCSA computing environment to be enhanced or ported to an optimal architecture and/or used in the development of software for the partner. SDG activities can be broken down into two main categories. 1) Strategic SDG Planning 2) SDG Project Work There are two principal areas of activity with industrial partners. The first is strategic planning. The second is the project. The process involved in these two areas is summarized to indicate where security issues are present, and what is done to preserve security in the process. Strategic SDG planning meetings When industrial partners are working with SDG, meetings are held where key members of the SDG staff meet with industrial partner representatives to discuss strategies for SDG development. Occasionally, meetings can involve matters which are sensitive or proprietary. In such cases it shall be the responsibility of the industrial partner representative to clearly identify all material, written or verbal, that is considered proprietary and subject to non-disclosure. At the request of the partner representative, the project leader for the SDG project will ensure that all NCSA personnel involved have signed appropriate non-disclosure agreements provided by the partner representative if notified by the industrial partner that proprietary information will be discussed. Security action for Strategic SDG planning meetings: 1. The partner representative will notify the project leader, before any meeting of this type, whether it will involve security issues. 2. If security issues are involved, the partner representative will provide a written statement to the project leader which describes the security issue and indicates what action is necessary to preserve security; non-disclosure to be signed, participation to be restricted, precautions to be taken with printed materials, etc. 3. If requested by the industrial partner representative, an SDG Group representative (the project leader unless otherwise stated) will be designated to carry out the security action. This person will execute the security action and report in writing the completion of the action to the partner representative and the Associate Director of the Software Development group. SDG projects SDG projects are activities in which the SDG works with industrial partner representatives to develop and deliver SDG software projects on NCSA systems. Projects will sometimes include the transfer of some amount of software and/or data from the industrial partner to the SDG computing environment. The data may be transferred to various storage areas in SDG group computing work space. SDG projects include the following phases: 1) planning 2) multipart operation phase which includes: a) development b) review c) execution d) delivery Security action for SDG projects: Planning phase - two or more meetings held. During the first meeting: 1. If the partner representative requests it, the project will be given a code number which will include at least the Partner name and a number. This code number will be used throughout the project in internal and external communications and planning tools and documents to identify and track activities associated it. Again, if requested by the partner representative, no NCSA planning or archive documentation will include a textual name associated with the project that might reflect the specific or general field of study. 2. The partner representative will notify the project leader, before any meeting of this type, whether it will involve proprietary data, concepts or printed materials. Any special security arrangements or precautions beyond those laid out in this document will be addressed at the beginning of the first meeting. 3. If security issues are involved, the partner representative will provide a written statement which describes the security issue and indicates what action is necessary to preserve security; non disclosure to be signed, participation to be restricted, etc. 4. An SDG group representative (the project leader unless otherwise stated) will be designated to carry out the security action. This person will execute the security action, and report in writing the completion of the action to the partner representative and to the designated NCSA management person before any subsequent meetings or planning occur. 5. A list of participants for the project is drawn up by the project leader and the partner representative. This validation list includes both NCSA and partner personnel. It is to include all individuals who will have access to any of the information through the planning and execution of the project. It may only be amended by signed common agreement between the partner on-site representative and the SDG project leader. A review of the participant list is done at the final planning meeting, with individuals added or removed as necessary. Multipart operation phase (development, review, execution, and delivery). This phase involves obtaining access to partner research problems, and the development of approaches to the solutions to these problems, which may include development of software, enhancement of existing software, or the porting of software to optimal architectures. This phase may also include obtaining access to partner proprietary software, or to third party software licensed to the partner. This software development and enhancement is performed on NCSA computer systems (computers and disk file systems) located in the Advanced Computation Building, Computing Applications Building, Oil Chemistry Building and the Beckman Institute. Security issues in this phase involve access to data, as well as exposure to concept/information. In this phase, both ascii and visual display of data (visualization) as well as text/graphic annotation may exist with video terminal/monitor display or in printed materials. Proprietary documentation on partner software or third party software may be made available to SDG staff. 1. General a. Determine from the partner representative, before this phase, whether it will involve security issues. b. If security issues are involved, the partner representative will provide a written statement which describes the security issue and indicates what action is necessary to preserve security; non disclosure to be signed, participation to be restricted, etc. c. An SDG Group representative (the project leader unless otherwise stated) will be designated to carry out the security action. This person will execute the security action, and report in writing the completion of the action to the partner representative and to the designated NCSA management person. This will include a list of personnel with need for access to data and information. 2. Project operation; data, software or information access and handling. The SDG group responsibility for data, software or proprietary information begins when data, software or proprietary information is transferred from partner disk space, to SDG group disk space or when printed proprietary information is handed by an industrial partner representative to a member of the SDG group. All systems on which SDG development is performed are administered by either a designated member of the SDG group or by the Computing and Communications staff. a. As requested by the partner representative, appropriate access permissions to SDG group disk space is assigned to the industrial partner (as a group). Only designated partner personnel and SDG group personnel with need for access to this data (validation list discussed above) will have permission to this group. b. If requested by the partner, partner personnel will perform all required data transfers from partner data space to the SDG group file areas. At the discretion of the partner representative, NCSA personnel will be given any access permissions to Partner data, file systems, directories or files. c. SDG Group personnel with need for access to this data are listed (as under 1c above), and will have been cleared through the appropriate security action. d. During the production phase, some data will be stored on SDG group file systems. e. At the end of the project operation, all data will be moved to partner designated space. This can again be performed from the partner side, with no access to other partner data, directories or files given to NCSA personnel in order to carry out these moves. Following this step, no data from the project will remain in disk space or file areas under SDG Group control. The project leader will provide a final written report stating that this has been done which will be transmitted to the partner representative and to the designated NCSA management person. f. SDG staff working on industrial projects will safeguard their work by making back-up copies of SDG software in development. A partner may specify particular back-up procedures to be taken. If special equipment is needed to accomplish these, it will be provided at partner expense. The same precautions taken with proprietary data, software and information will be taken with back-up copies of this data, software, and information. At the end of the project operation, all back-up data and back-up copies of software will be moved to partner designated space. Any back-up data or software existing on tape or another medium will be delivered to the Partner. Following this step, no data from the project will remain in disk space or file areas under SDG control. The project leader will provide a final written report stating that this has been done which will be transmitted to the partner representative and to the designated NCSA management person. 3. Project operation (display and media recording of data and research information). Security issues in this area arise from the visual display and media recording of data and research information and from the availability of print media containing proprietary data or information. a. Display on video workstations. At the request of the partner representative all display of visual material which must be secure will occur on video workstations in a secure, locked workspace. If workstations must be purchased to put in a secure area, the cost will be paid by the partner requesting this level of security. b. Availability of printed material. At the request of the partner representative all availability of printed material which must be secure will occur in a secure, locked workspace. This material will be stored in a locked file cabinet or desk drawer in a locked office when not in use. The partner will specify the printed material to be treated as proprietary, and the precautionary measures to be taken when the initial written statements of security actions required and non-disclosures are being composed for a particular project. If special equipment is required, e.g. a locked, fireproof safe, it will be provided at partner expense. c. If, during the development of the project, additional consulting work is required by individuals not on the initial project list, either the information passed to them will not involve any technical details of the project and they will not be exposed to any proprietary data, visual representations of that data, or proprietary printed materials, or they will be added to the project list by consent of the partner on-site representative. d. The SDG project leader will manage the "need to know" of SDG staff and other NCSA staff with respect to partner projects in the SDG, in consultation with the industrial partner representative overseeing the project. Other SDG Security Procedures The SDG will work to maintain an environment where security concerns are taken seriously, with the Associate Director and the project leaders setting an example for the rest of the staff. SDG will respect the security of personal information, as well as information of strategic importance to NCSA and NCSA's industrial partners. * Security will be raised for discussion on an 'as needed' basis at SDG staff meetings * Security issues will be discussed with new hires, both academic and non-academic * Signing of non-disclosure agreements will be accompanied by a review of the associated responsibilities * Security concerns will be discussed at exit interviews with staff * Security of proprietary software and data will be assured by proper use of permission shells and file protection * SDG staff will be alerted to correct use of permission shells and file protection * SDG staff are housed in the Beckman Institute, the Computing Applications Building, and the Oil Chemistry Building and will follow recommended security procedures. Please note that these include locking office doors when leaving the office, and carrying one's keys at all times, particularly in the evenings and on weekends. * Security issues will be discussed with visitors hosted by members of the SDG on an as needed basis * Keys and keycards which are distributed to visitors will be collected upon their exit. ---Appendix 4. Applications--- This appendix describes the Applications procedures and policies, first as they specifically relate to projects involving confidential information and participation by NCSA Industrial Partner representatives and then as they relate to more general security concerns. In working with NCSA industrial partners, the following security procedures are followed in Applications activities. General description of Applications activities with industrial partners Applications activities with industrial partners involve various meetings where partner research might be discussed, projects in which partner research data may be transferred to the NCSA computing environment to be processed, and projects in which partner proprietary software may be transferred to the NCSA computing environment to be enhanced or ported to an optimal architecture. Applications activities can be broken down into two main categories. 1) Strategic Applications Planning 2) Applications Project Work There are two principal areas of activity with industrial partners. The first is strategic planning. The second is the project. The process involved in these two areas is summarized to indicate where security issues are present, and what is done to preserve security in the process. Strategic applications planning meetings When industrial partners are working with the Applications Group, meetings are held where key members of the Applications staff meet with industrial partner representatives to discuss strategies for applications development. Generally, these meetings do not involve any matters which are sensitive or proprietary. Occasionally, meetings can involve matters which are sensitive or proprietary. In such cases it shall be the responsibility of the Industrial Partner representative to clearly identify all material, written or verbal, that is considered proprietary and subject to non- disclosure. It is the responsibility of the Associate Director of Applications to ensure that all NCSA personnel involved have signed appropriate non-disclosure agreements. Security action for Strategic applications planning meetings: 1. Determine from the partner representative, before any meeting of this type, whether it will involve security issues. 2. If security issues are involved, obtain from partner representative a written statement which describes the security issue and indicates what action is necessary to preserve security; non-disclosure to be signed, participation to be restricted, precautions to be taken with printed materials, etc. 3. An Applications Group representative will be designated to carry out the security action. This person will execute the security action and report in writing the completion of the action to the partner representative and the designated NCSA management person. Applications projects Applications projects are activities in which the Applications Group works with industrial partner representatives to develop and deliver applications software or the results of computations on NCSA systems. Projects will sometimes include the transfer of some amount of software and/or data from the industrial partner to the Applications Group computing environment. This transfer occurs from an industrial partner CFS storage area to an applications group CFS storage area. The data is then transferred to various storage areas in applications group computing work space. Applications projects include the following phases: 1) planning 2) multipart operation phase which includes: a) development b) review c) execution d) delivery Security action for applications projects: Planning phase - two or more meetings held. During the first meeting: 1. The project will be given a code number which will include at least the Partner name and a number. This code number will be used throughout the project in internal and external communications and planning tools and documents to identify and track activities associated it. No NCSA planning or archive documentation will include a textual name associated with the project that might reflect the specific or general field of study. 2. Determine from the partner representative, before any meeting of this type, whether it will involve proprietary data, concepts or printed materials. Any special security arrangements or precautions beyond those laid out in this document will be addressed at the beginning of the first meeting. 3. If security issues are involved, obtain from partner representative a written statement which describes the security issue and indicates what action is necessary to preserve security; non disclosure to be signed, participation to be restricted, etc. 4. An applications group representative will be designated to carry out the security action. This person will execute the security action, and report in writing the completion of the action to the partner representative and to the designated NCSA management person before any subsequent meetings or planning occur. 5. A list of participants for the project is drawn up. This validation list includes both NCSA and Partner personnel. It is to include all individuals who will have access to any of the information through the planning and execution of the project. It may only be amended by signed common agreement between the Partner on-site representative and the VG manager. A review of the participant list is done at the final planning meeting, with individuals added or removed as necessary. Multipart operation phase (development, review, execution, and delivery). This phase involves obtaining access to Partner research problems, and the development of approaches to the solutions to these problems, which may include development of software, enhancement of existing software, or the porting of software to optimal architectures. This phase may also include obtaining access to Partner proprietary software, or to third party software licensed to the Partner. This software development and enhancement is performed on NCSA computer systems (computers and disk file systems) located in the Advanced Computation Building or on Numerical Lab machines located in the Beckman Institute. Security issues in this phase involve access to data, as well as exposure to concept/information. In this phase, both ascii and visual display of data (visualization) as well as text/graphic annotation may exist with video terminal/monitor display or in printed materials. Proprietary documentation on Partner software or third party software may be made available to Applications staff. 1. General a. Determine from the partner representative, before this phase, whether it will involve security issues. b. If security issues are involved, obtain from partner representative a written statement which describes the security issue and indicates what action is necessary to preserve security; non disclosure to be signed, participation to be restricted, etc. c. An Applications Group representative will be designated to carry out the security action. This person will execute the security action, and report in writing the completion of the action to the partner representative and to the designated NCSA management person. This will include a list of personnel with need for access to data and information. 2. Project operation; data, software or information access and handling. The applications group responsibility for data, software or proprietary information begins when data, software or proprietary information is transferred from CFS (under responsibility of NCSA Central Facilities group), to applications group disk space or when printed proprietary information is handed by an industrial Partner representative to a member of the Applications group. All systems on which applications development is performed are administered by either a designated member of the Applications group or by NCSA Computing and Communication (C&C) staff. a. Appropriate access permissions to applications group disk space is assigned to the industrial partner (as a group). Only designated partner personnel and applications group personnel with need for access to this data (validation list discussed above) have permission to this group. No one else has access to this space. b. Partner personnel perform all required data transfers from Partner data spaces (on supercomputer disk or CFS) to the Applications Group file areas. At no time are NCSA personnel given any access permissions to Partner data, file systems, directories or files. c. Applications Group personnel with need for access to this data are listed (as under c above), and will have been cleared through the appropriate security action. d. During the production phase, some data will be temporarily stored on Applications group CFS space. Such CFS space will be accessible only to those individuals on the Project Validation List. Likewise, because the CFS access requires staging on Cray disk, the scratch file areas used for this staging will be accessible only by those same individuals (or fewer). e. At the end of the project operation, all data will be moved to partner designated space on CFS. This can again be performed from the Partner side, with no access to other Partner data, directories or files given to NCSA personnel in order to carry out these moves. Following this step, no data from the project will remain in disk space or file areas under Applications Group control. A final written report stating that this has been done will be transmitted to the partner representative and to the designated NCSA management person. f. Applications staff working on industrial projects will safeguard their work by making back-up copies of applications software in development. These will typically be stored to cfs. A Partner may specify particular back-up procedures to be taken. If special equipment is needed to accomplish these, it will be provided at Partner expense. The same precautions taken with proprietary data, software and information will be taken with back-up copies of this data, software, and information. At the end of the project operation, all back-up data and back-up copies of software will be moved to partner designated space on CFS. Any back-up data or software existing on tape or another medium will be delivered to the Partner. Following this step, no data from the project will remain in disk space or file areas under Applications Group control. A final written report stating that this has been done will be transmitted to the partner representative and to the designated NCSA management person. 3. Project operation (display and media recording of data and research information). Security issues in this area arise from the visual display and media recording of data and research information and from the availability of print media containing proprietary data or information. a. Display on video workstations. All display of visual material which must be secure will occur on video workstations in a secure, locked workspace. Only those on the Project Validation List will be permitted entry. b. Availability of printed material. All availability of printed material which must be secure will occur in a secure, locked workspace. This material will be stored in a locked file cabinet or desk drawer in a locked office when not in use. The Partner will specify the printed material to be treated as proprietary, and the precautionary measures to be taken when the initial written statements of security actions required and non-disclosures are being composed for a particular project. If special equipment is required, e.g. a locked, fireproof safe, it will be provided at partner expense. c. If, during the development of the project, additional consulting work is required by individuals not on the Project Validation List, either the information passed to them will not involve any technical details of the project and they will not be exposed to any proprietary data, visual representations of that data, or proprietary printed materials, or they will be added to the List by consent of the Partner on-site representative. d. The Associate Director of Applications will manage the "need to know" of Applications staff and other NCSA staff with respect to Partner projects in the Applications Group, in consultation with the Industrial Partner representative overseeing the project. Other Applications Security Procedures The NCSA Applications Group will work to maintain an environment where security concerns are taken seriously, with the Associate Director and the Senior Staff setting an example for the rest of the staff. The Applications Group will respect the security of personal information, as well as information of strategic importance to NCSA and NCSA's industrial partners. * Security will be raised for discussion on a regular basis at meetings of the Research Council and the Applications Staff * Security issues will be discussed with new hires, both academic and non-academic * Security issues will be discussed with visitors hosted by members of the Applications Group * Signing of non-disclosure agreements will be accompanied by a review of the associated responsibilities * Security concerns will be discussed at exit interviews with staff * Security of proprietary software and data will be assured by proper use of permission shells and file protection * Applications staff will be trained in correct use of permission shells and file protection * Applications staff are housed in the Beckman Institute, and will follow recommended Beckman Institute security procedures. Please note that these include locking office doors when leaving the office, and carrying one's keys at all times, particularly in the evenings and on weekends. Appendix 5. Academic and Industrial Relations Security Policy and Procedures Implementation Plan The Associate Director has conducted security discussions with the managers of the group to exchange information on NCSA's policy and procedures and the steps taken by each manager within their own area. The Associate Director and managers will continue to review the current policies and procedures and raise concerns and issues for further change and improvement to be taken to the Executive Council and the Security Officer. All security violations and non-compliance situations will be made known to the Associate Director and the Security Officer. The following are specific actions and responsibilities. * The Associate Director will raise security for discussion on a regular basis at meetings with managers and staff * Each manager will keep their staff aware and informed of policies and procedures, and be responsible for security within their own area * Managers will discuss security with each new employee * Managers will conduct exit interviews and discuss security aspects * The Associate Director will work with all NCSA staff to clarify the nature and purpose of non-disclosure agreements and keep a file of such agreements. Associate Directors of any staff signing non- disclosure agreements will receive copies of the agreements. * The Manager of Training will work with the Security Officer to conduct staff awareness training sessions on a regular basis. * The Client Administration group has implemented and continues to monitor their security procedures related to the handling of signons and accounts to maintain secure data and to maintain confidentiality of password information. * Each staff member will make visitors to the center aware of NCSA's security policy and procedures. Keys and keycards which are distributed to visitors will be collected upon their exit. NCSA Publications Group The Publications Group is concerned with security of: * Centerwide presentation materials (electronic or hard copy) * Source materials for public information and technical documentation Centerwide Presentation Materials The Publications Group is responsible for producing major centerwide presentations, such as the Program Plan Review Panel presentation, Site Visit presentation, and the Annual Industrial Partners Meeting presentations. For presentations that have already been completed, we have assured their security by reviewing all the existing materials. Materials of proprietary or confidential nature were deleted from staff hard drives and put on floppy disks which are locked in a cabinet in room 270 CAB. For future centerwide presentations, the following steps will be taken: * All security requests must be specified in writing by the user/client and signed by the user/client, the Publications Manager and the AD for Academic and Industrial Relations Program. Unless such a request is made, work will be done in a non-secure fashion, ie., the work may be distributed throughout the division and done on several different workstations at non-secure locations. * If special security is requested, the following precautions will be available. The user/client must specify. Ð The work in question will be done in the Publications Group staff offices only. During the project, access to these rooms will be restricted to Publications group personnel. Ð During the project all hard copy and work disks will be locked away after being worked on. Ð Upon completion of such a project, all electronic and hard copy will either be filed securely by the Publications Manager, deleted and/or returned in whole or part with appropriate signed statements that all known versions of the project and related materials have been disposed of as specified. Newsletters and Public Information and Technical Materials The Publications Group will assume that written material submitted for inclusion in the newsletters and other materials is nonproprietary. If interviewees or contributors have confidential or proprietary information, it is up to them to specify in writing to the project editor or note during the material's review process. In general, the Publications Group will follow these procedures: * Illustrative material obtained from NCSA Media Services or the Visualization GroupÑIt is assumed that copyright issues have been resolved and the Publications Group is free to include such material in its publications. * Background or illustrative material not owned by NCSAÑThe project editor will confirm copyright information with the contributor before inclusion in any publication. The contributor will be required to sign a standard release form, which has been drawn up with the aid of the University of Illinois Office of Legal Counsel. If any materials are to be restricted from dissemination, these must be specified by the contributor to the editor on the release form. A copy of a form showing restrictions will be provided by the project editor to the Manager of Publications. * Technical reviewÑEstablished review procedures already provide an opportunity to omit sensitive information from drafts. * Permission to copyÑThe Publications Group will continue to ensure that we have permission to duplicate vendor documents. INDUSTRIAL PROGRAM CONSIDERATIONS The Industrial Partners have specific security requirements due to the nature of their work and our interaction with them. Much of the research conducted by our partners is highly sensitive and could cause significant harm to the corporation's competitive position if it were to fall into the wrong hands. Additionally, much of the work done here by our partners represents a major investment, and loss of the data or alteration of the data could cause a major financial loss. Although it is the responsibility of each partner to identify proprietary data, it is prudent for everyone to regard all data and information held by a partner to be proprietary until or unless access is freely given. Our dealings with partners reflect our sensitivity to the security of their data. INDUSTRIAL RELATIONS PROCEDURES A. REPRESENTATION WITH NCSA STAFF AND WITH PARTNERS It is the responsibility of the Assistant Director, Industrial Relations to act as a liaison between the partners and the NCSA Security Officer in regard to security matters. This includes representing partner needs and concerns to NCSA and representing NCSA policies and procedures to the partners. The Assistant Director of Industrial Relations will work with all NCSA staff to clarify the nature and purpose of non-disclosure agreements with the corporations and keep a file of such agreements. Associate Directors of any staff signing non-disclosure agreements will receive copies of the agreements. B. IP STAFF TRAINING AND EXIT INTERVIEWS Each new Industrial Program staff member will be briefed on the NCSA and IP security policies and procedures within one week of starting work. This briefing will be documented. These interviews/briefings will include the legal commitment to safeguard proprietary information after an employee leaves NCSA. Additional topics include: Integrity and protection of proprietary material, such as: -contracts -non-disclosure forms -software usage -planning documents -correspondence -project descriptions etc. The NCSA IP staff will be trained on handling telephone, correspondence, and face to face information requests. C. PARTNER INTERACTIONS The Assistant Director is responsible for coordinating interactions between the Industrial Partners and NCSA in regard to security matters. He is the principal point of contact for the partners when a security question or issue arises. This does not restrict partner access to the NCSA Security Officer or to other staff, particularly when timeliness is important and the Assistant Director is unavailable. Coordination includes, but is not limited to, the following: * Coordinate visits by partner security departments. * Oversight of security provisions in legal agreements and legal interface. * Provide briefing for new partner on-site representative on specific NCSA/Industrial Program security policies and procedures. Make similar presentations at corporate headquarters, when requested. * Support Security Officer investigations of any incidents. D. PARTNER OFFICE SPACE Each Industrial Partner is assigned an office space at NCSA, normally in the Computing Applications Building. Some partners also have an office in the Beckman Institute. The legal agreement with each partner clearly establishes that the partner controls access to their assigned office. Each member of the staff must respect the office as if it were an extension of the particular corporation's headquarters. E. SPECIFIC PARTNER REQUIREMENTS Eli Lilly has specifically requested that anyone representing the corporation be challenged to produce a corporate identification card assuring their employment by the corporation or that they be with someone from the corporation that can attest to their right to have access to Eli Lilly facilities. Any irregularities should be reported to the NCSA Security Office, the Industrial Liaison and the primary Eli Lilly liaison to NCSA. Anyone using the on-site Eli Lilly office must have such identification or be cleared by another Eli Lilly employee. Anyone that is within the Eli Lilly office(s) that is unable to identify themselves in such manner, shall immediately be asked to leave the office. Such incidents shall be reported to the NCSA Security Officer, the Industrial Liaison and the primary Eli Lilly liaison to NCSA. Visualization Project Security Procedures This section describes the procedures and policies to be followed on visualization projects involving proprietary or sensitive data. The most common type of project of this nature is one with an Industrial Partner involving confidential information, but any collaboration may need this degree of protection and it should be offered to any researcher. Background Scientific Visualization is an area in which NCSA has traditionally excelled and technology transfer in this area to and from Industrial Partners and other researchers is an ongoing process. In many cases this transfer is done as a Visualization Project and most are with an Industrial Partner. The project may involve people from different groups within NCSA, such as the Software Development Group, Media Services and the AIRP group. The Associate Director of AIRP has overall coordination responsibility for these projects and the Assistant Director of Industrial Relations or his designee will have day-to-day coordination responsibility for Industrial Partner visualization projects. General description of visualization project activities with industrial partners or involving sensitive information. Visualization activities of this sort involve various meetings where the research might be discussed, and projects in which research data is transferred to the visualization computing environment to be processed into visualization software and video/film media. Visualization activities will normally occur in two phases: 1) Strategic Visualization Planning 2) Visualization Project Work The processes involved in these two phases are summarized below to indicate where security issues are present, and what is done to preserve security in the process. The processes are described for use with an Industrial Partner but are equally applicable to a project with any researcher if sensitive material is involved. Strategic visualization planning meetings In the planning phase meetings are held where the key NCSA staff members meet with the researcher(s) and/or industrial partner representatives to discuss strategies for visualization development. Generally, these meetings do not involve any matters which are sensitive or proprietary. Occasionally, sensitive or proprietary information may be discussed. In such cases it shall be the responsibility of the Industrial Partner to clearly identify all material that is considered proprietary and subject to non- disclosure. It is the responsibility of the assigned AIRP Manager to ensure that all NCSA personnel involved have signed appropriate non-disclosure agreements. Security action for Strategic visualization planning meetings: 1. Determine from the partner or researcher, before any meeting of this type, whether it will involve security issues. 2. If security issues are involved, obtain from the partner or researcher a written statement which describes the security issue and indicates what action is necessary to preserve security; non disclosure to be signed, participation to be restricted, etc. 3. A NCSA staff member will be designated to carry out the security action. This person will execute the security action and report in writing the completion of the action to the Partner and the designated NCSA management person. Visualization projects Visualization projects are activities in which NCSA staff works with the Industrial Partner to develop and deliver visualization materials. These visualization materials might be visualization software and/or film/video media. Projects will always include the transfer of some amount of data from the Industrial Partner to the NCSA visualization computing environment. This transfer normally occurs from an Industrial Partner to a designated visualization computer file or directory. The data is then transferred to various storage areas in the NCSA visualization computing work space, and in most cases, transferred to film/video media. Visualization projects include the following phases: 1) planning 2) multi-part operation phase which includes: a) development b) review c) execution d) delivery Security action for visualization projects: The Planning Phase normally includes two or more meetings. During the first meeting: 1. The project will be given a code number which will include at least the Partner name and a number. This code number will be used throughout the project in internal and external communications and planning tools and documents to identify and track activities associated with it. No NCSA planning or archive documentation will include a textual name associated with the project that might reflect the specific or general field of study. During this meeting the form of the final deliverable will also be decided, which could be software, video data in one or more formats, or both. 2. Determine from the partner representative, before any meeting of this type, whether it will involve proprietary data, concepts or documentation. Any special security arrangements or precautions beyond those laid out in this document will be addressed at the beginning of the first meeting. 3. If security issues are involved, obtain from partner representative a written statement which describes the security issue and indicates what action is necessary to preserve security; non disclosure to be signed, participation to be restricted, etc. 4. A NCSA staff member will be designated to carry out the security action. This person will execute the security action, and report in writing the completion of the action to the partner representative and to the designated NCSA management person before any subsequent meetings or planning occur. 5. A list of participants for the project is drawn up. This validation list includes both NCSA and Partner personnel. It is to include all individuals who will have access to any of the information through the planning and execution of the project. It may only be amended by signed common agreement between the Partner and the cognizant NCSA manager. A review of the participant list is done at the final planning meeting, with individuals added or removed as necessary. 6. There may be additional planning meetings before the operation phase begins. At any of these meetings additional security issues may be raised as the project takes on its final form. Any new issues will be handled as during the first meeting. Multi-part operation phase (development, review, execution, and delivery). This phase involves obtaining access to Partner research data-sets which are then analyzed and manipulated by a variety of software and hardware tools to create a visual representation of the data. The majority of this development is performed on Silicon Graphics systems (computers and disk file systems) located in the Computing Applications Building. In addition, some work may be performed on Numerical Lab machines in the Beckman Institute. In general, the data sets from the researcher are transferred into visual form by passing them through sets of filters, operated on by software packages, and producing three dimensional visualizations consisting of sets of image frame data files which are combined to form animations. In some visualization projects, the final product is a set of filters or some software custom developed by NCSA to operate on the specific datasets. Security issues in this phase involve access to data, as well as exposure to concept/information. In this phase, visual display of data (visualization) as well as text/graphic annotation exists with video terminal/monitor display, and on film/video media. 1. General a. Determine from the partner representative, before this phase, whether it will involve security issues. b. If security issues are involved, obtain from the partner a written statement which describes the security issue and indicates what action is necessary to preserve security; non disclosure to be signed, participation to be restricted, etc. c. A NCSA staff member will be designated to carry out the security action(s). This person will execute the security action(s), and report in writing the completion of the action to the partner representative and to the designated NCSA management person. This will include a list of personnel with need for access to data and information. 2. Project operation; data access and handling. The NCSA responsibility for data begins when the data is transferred from a Partner controlled storage area to a NCSA visualization disk space. The partner controlled storage area may be the NCSA Mass Store System or a storage system at a corporate site. All systems on which visualization development is performed are administered by NCSA, including the Visualization SGI systems,and the BI SGI systems. a. Appropriate access permissions to visualization group disk space is assigned to the industrial partner (as a group). Only designated partner personnel and visualization group personnel with need for access to this data (validation list discussed above) have permission to this group. No one else has access to this space. b. Partner personnel perform all required data transfers from Partner data spaces to the NCSA visualization file areas. At no time are NCSA personnel given any access permissions to Partner data, file systems, directories or files. c. NCSA visualization personnel with need for access to this data are listed (as under c above), and will have been cleared through the appropriate security action. d. During the production phase, some data will be temporarily stored in directories and files in the NCSA Mass Store System. Such MSS space will be accessible only to those individuals on the Project Validation List. Likewise, because the MSS access requires staging on Cray disk, the scratch file areas used for this staging will be accessible only by those same individuals (or fewer). e. At the end of the project operation, all data will be moved to partner designated space in the Mass Store System. This can again be performed from the Partner side, with no access to other Partner data, directories or files given to NCSA personnel in order to carry out these moves. Following this step, no data from the project will remain in disk space or file areas under NCSA control. A final written report stating that this has been done will be transmitted to the partner representative and to the designated NCSA management person. 3. Project operation (display and media recording of data and research information). Security issues in this area arise from the visual display and media recording of data and research information. a. Display on video workstations. All display of visual material which must be secure will occur on video workstations in a secure, locked work space. Only those on the Project Validation List will be permitted entry. b. If, during the development of the project, additional consulting work is required by individuals not on the Project Validation List, either the information passed to them will not involve any technical details of the project and they will not be exposed to any data or visual representations of that data, or they will be added to the List by consent of the Partner representative. c. Recording on film and video media. (This occurs within the media service activity and security issues are described in the media service security procedure. Refer to this document.) 4. Project operation (completion and delivery). When the project is complete and the final products are ready for delivery to the partner, a memo to this affect will be prepared and signed by both the NCSA staff member assigned to the project and a partner representative. This memo will explicitly state that all proprietary or sensitive files or data has been returned to the partner or destroyed. Delivery of film and video media will be as described in the Scientific Communications and Media Systems section. (Appendix 6) ---Appendix 6--- Scientific Communications and Media Systems (SCMS) SCMS produces scientific communications (comprising of Video Programming and Communications Graphics) and also processes computer imagery to different media. Security issues for each apply to the other as projects cross between these two general areas. General Policy and Practice * The SCMS Co-Directors (David Curtis and Donna Cox) will be responsible for discussing NCSA and group security policy with group staff. * Guidelines will be drawn up covering the following: Ð When to lock rooms. Ð What materials to lock up, i.e., sensitive materials when not in use. Ð When to avoid putting materials in mailboxes. Ð When to hand-deliver. * The Co-Directors will be responsible for exit interviews, including the collection of keys (and keycards and photo IDs). * The Co-Directors will collect security document acknowledgment. * The Co-Directors will report to the Security Officer and/or the EC any non-compliance. * Staff will participate in appropriate training as offered or required. Copyright will be confirmed with groups providing material for all illustrative materials (still pictures, transparencies, video) obtained from them before such materials are included in any NCSA press releases or other printed or electronic publicity material or video programming. If necessary (i.e., if such materials are not owned by NCSA or do not reside within the public domain), written permission to reproduce any such materials will be first secured from the copyright holder. In most cases, a standard release form will be provided for this purpose. Three standard release forms have been drawn up with the aid of the University of Illinois Office of Legal Counsel to formalize permissions to use illustrative materials or footage shot on location: Ð Participant release for location taping, including on-camera interviews Ð Release for use of videotape or film Ð Release for use of illustrative materials (prints, slides, etc.) Apart from securing necessary clearances by using these releases, or by obtaining other written permission as appropriate, SCMS will from time to time review all potentially proprietary materials possessed by the group. If materials of an actual proprietary or confidential nature are found and written permission to retain them had not been previously secured from the source(s), the source(s) will be contacted as to how to dispose of such materials. The following options are available to such sources: For text and graphics: * Return or delete and/or shred the materials in question. * Return or delete and/or shred the materials except for a single hard copy which will be retained and securely stored by the SCMS group. * Return or delete and/or shred all materials except for a single electronic copy and a single hard copy version. These are to be retained and securely stored by the SCMS group. For videotape: * Return or erase the material in question. * Return or erase the material except for a single copy which will be retained and securely stored by the SCMS Group. In each of the above cases, the return/deletion/erasure of the materials, complete or partial, must be acknowledged in writing by the source of the materials and by one of the Co-Directors (David Curtis or Donna Cox). As a general guideline, other than periodic review of potentially proprietary materials and securing clearances, the SCMS group will take no special security measures unless requested. In general, it is up to the source of information to request special measures and to specify appropriate restrictions on the dissemination of sensitive information. When such a request is made, it must be done so in writing and appropriate signatures affixed. Special security measures and options are listed below. Scientific Communications a) Video Programming The Video Programming staff of the SCMS group produces video programming aimed at the research community as well as NCSA partners and funders and the public at large. As such, we are responsible for providing accurate communications to NCSAÕs disparate constituencies. We are concerned with security in two chief areas: 1. Security of primary source materials, both text and images. These include: - presentation materials (electronic or hard copy), - source materials (background data, slides, stills and videotapes from industrial or strategic partners or from within NCSA, e.g., Program Plan materials) - location footage to which access is restricted. 2. Security of information Both areas will be reviewed in relation to: - Use of footage or visualizations - Distribution of programming that incorporates the above materials Security in both areas are addressed by three complementary approaches: * Technical review of draft text, scripts and video programming. Programs are normally put out for review to key participants. If an industrial or strategic partner is featured, the program must be reviewed by the AIR Associate Director and/or the NCSA Corporate Officer and/or the partner and/or its public relations agency, as requested by and/or negotiated with the partner concerned. * Where appropriate, non-disclosure agreements and restricted access to materials or areas where such materials are being stored and/or worked on. Illustrative materials for distribution to the media will be handled as follows: Ð Copyright/ownership of all illustrative materials will be first confirmed with these sources before public dissemination. Most video animations and graphics processed for academic researchers by SCMS have already been cleared for general audiences. If necessary, though, written permission(s) will be obtained in advance from the copyright holder(s). Ð A standard release form will be provided for such permissions (see above). Owner signature of the release will constitute permission to use the materials in question for the purpose(s) stated in the release. It is up to the owner of the footage or materials to otherwise qualify, in the release, the conditions under which the said footage or materials can or cannot be used for public information purposes. Alternatively, such restrictions must be specified in writing on a separate contract that, by mutual agreement, addresses each restriction. If necessary, SCMS will reserve the right to first consult with the University of Illinois Office of Legal Counsel before agreeing to such restrictions. Ð If requested, materials (tapes, slides, print data) will be stored securely in B69 CAB, and for proprietary materials, in the General Industrial Cabinet in B69. Footage restricted for screening only will be returned without any prior duplication. Upon being named in writing, such tapes will not be allowed out of the secure locations except for essential processing (e.g. on-line editing). At the end of each on-line edit session, named tapes will be returned to the secure locations or to the source, according to his/her written request. * Appropriate location taping clearances Ð If the participant or organization signs an NCSA participant release form, his/her signature shall indicate permission to use the footage of him/her and/or his/her organization without any restrictions whatsoever. Ð It will be up to the interviewee or organization being videotaped to specify (1) what can and cannot be taped or included in a program and (2) to request any special editorial measures. Each of these must be requested before or at the time of taping, but no later. Any such request must be confirmed in writing to the producer and/or either of the SCMS Co-Directors within five (5) days of the location taping in question. If necessary, a special location taping agreement will be negotiated with the help of the University of Illinois Office of Legal Counsel. b) Communications Graphics This area is covered by same procedures as outlined below for Media Processing. Media Processing by SCMS One or two SCMS staff would be involved in pre-planning meetings for industrial projects. One or more SCMS staff would have main responsibility for the projectÕs execution. However, all SCMS staff would potentially be involved in viewing, displaying, recording or duplicating images during the lifetime of a project, as well as after completion of a project. This is to provide maximum efficiency in handling workload, both the partnersÕ work and other work running parallel to the partnersÕ. There are three major activities that occur under the media processing umbrella. These include: 1) Initial mastering of project development sequences Sets of files representing short animation sequences are transferred to videotape. This occurs by loading a Silicon Graphics frame buffer (with optional enabled monitor) located in the B71 media lab. Frames are sequentially loaded to the frame buffer and then read into the Abekas, also located in B71. From the Abekas, frames and sequences of frames are "played" onto D-1 digital tape in real time. This becomes the "Project Worktape" referenced below. 2) Edits and/or compilation of sequences into delivered pieces During the development process, short mastered sequences are edited and compiled into longer pieces for viewing by project personnel. At the completion of the project, the final production program is built in this way. This involves tape-to- tape copy operations and optional additional use of the Abekas for editing new sequences of the previously mastered material. It may also involve electronic text generation. These tapes are referred to as "Project Edit Master Tapes" and may be copied to a "Project Compilation Master" at the completion of a project. 3) Video duplication and film This is, in general, completely separate from the development process, although it may also occur within a project. The SCMS group responds to requests from researchers and groups within NCSA for copies of videotapes and production of slides. People may send data files or videotapes to SCMS and request film recording or duplication. If the data or tape does not relate to a previous project, it will be considered a new project. For film, SCMS staff will transfer the data to a film recorder, expose the film, and have the film processed by an independent lab. One may elect not to send the film to the independent lab. This should be indicated in the Security Statement described below. Security measures with regard to video and film (The following deals with Industrial Partner work. Any other work will be considered non-sensitive in nature unless specified as sensitive by the requesting party.) A "project" is considered to be any type of job request from an Industrial Partner or Industrial Program staff person. A "designated Industrial Partner Representative" is someone to whom the official Industrial Partner On-site Representative has given authority to sign the project forms described below. There should be a limited number of these people, who will be designated in a letter of understanding between the Partner and SCMS. * For industrial partner work, a Security Statement form, indicating security issues involved with a project, will need to be filled out with SCMS before any display or recording of the related images takes place. Indication will be made of any code words that should be used when referring to the project. The Security Statement may grant other people, including NCSA staff, authority to view the material or request duplications, etc. The statement may, of course, say that a project contains no sensitive material, and is viewable by the general public. * There will be a Project Validation List indicating who can view the material during the course of a project. All SCMS staff should be on this list. If all SCMS staff are not on this list, along with anyone else who has a key to the General Industrial Cabinet, then tapes and materials for this project cannot be stored in this cabinet. All SCMS staff and a limited number of other NCSA staff users of the media facility will have keys to the General Industrial Cabinet. * Any non-disclosure forms required by the Industrial Partner will also be signed by all people on the Project Validation List and filed before disclosure of sensitive project information. * There will also be a Sensitive Tape and Data Location List, listing sensitive tapes in existence for that project and where they are stored. This list should be updated when the storage location of a tape changes. For example, if, at the end of a project, a tape's location changes from SCMS to the partner, this would be noted. * Only designated Industrial Partner representatives, or others indicated in the Security Statement, will be able to authorize duplications of their company's material. Duplication Request Forms will be filled out. * Erasure of material will be authorized by the designated Industrial Partner representative by completing an Erasure Authorization Form. Magnetic erasure will be sufficient. * In summary, the forms which may be needed in any given media job are: Before start of project: Summary cover sheet Security Statement Non-disclosure forms necessary Project Validation List During project: Changes to the above Sensitive Tape and Data Location List After completion: Duplication request Erasure authorization The above forms will be kept in one folder per project. * Each industrial partner will have one work D-1 videotape and one master videotape (betacam or D-1) per long-term project. Over the course of a year, they will also have one or more compilation D-1 videotapes and betacam dubs of these D-1 videotapes, containing only their own material. In more detail, the set of tapes and operations on them include: Partner Project Videotape Archive, located with Industrial Partner, though some tapes may stay with SCMS during a project. 1) "Project Worktape" (D-1 videotapes from completed and in-progress projects) 2) "Project Worktape Protection tape" (Betacam backup of D-1 Project Worktapes) 3) "Project Edit Master Tape" (Betacam or D-1 videotape) 4) "Project Compilation Master" (D-1 videotape) 5) "Project Compilation Master Protection tape" (Betacam videotape) Partner Project Videotape Handling Procedure 1) New (blank) "Project Worktape" allocated (D-1) New (blank) "Project Worktape Protection" allocated (Betacam) a) Worktape used to collect video material during project. b) Worktapes stored in secure SCMS area throughout project process. Industrial Partner may elect to always keep tape with them. Only persons on Project Validation list will have access to secure area. 2) "Project Edit Master Tape" created at culmination of project (Betacam or D-1). 3) At project completion: a) Dub "Project Edit Master Tape" to "Project Compilation Master" then from there to "Project Compilation Master Protection tape". b) Transfer the following tapes to Partner Visualization Project Archive: 1) "Project Edit Master" 2) "Project Worktape" 3) "Project Worktape Protection tape" * These tapes will be kept with the on-site industrial representative and brought to each work session as needed, or the tapes can be locked in the General Industrial Cabinet within a locked room at SCMS. The latter can be done only if the Partner puts everyone with a key to that cabinet on the Project Validation List. * Text or audio generated electronically will not be left on internal disks in unsecured rooms. Floppy disks will be locked in the General Industrial Cabinet within SCMS facilities or kept with the designated industrial partner representative. The existence and locations of these disks will be indicated in the Sensitive Tape and Data Location List mentioned above. * All industrial partner image display and recording will occur within locked, marked rooms. Only people on the Project Validation List will be present. If all displays of sensitive material are disabled, other people may be present for supervised periods of time. People with keys to these rooms will be limited to SCMS staff, a limited number of other NCSA staff, certain Facilities staff and janitorial staff. There will be signs indicating "Closed session: Do not enter" to notify someone who is not on the Validation List of the sensitive nature of the work going on inside. * Inter-company material of a sensitive nature will be kept on tapes separate from other material from the same company. It will be up to the designated industrial partner representative who signs the Security Statement to notify SCMS of such a project. These tapes will be kept with the on-site industrial representative or, for in-progress material, in the optional manner described above. * Tape cases will not contain sensitive nomenclature. Labels will at most contain a partner name, project numbers and any code words put forth in the Security Statement. * All the above also pertains to film output. Exposed film and developed film will be locked up until delivered to the processor or until the industrial representative comes to pick it up. If film materials cannot be delivered to the independent lab, this should be stated in the Security Statement. * The SCMS group responsibility for data begins when data is transferred from the CFS to Media group disk space. All systems on which SCMS work is performed are administered by NCSA. * Appropriate access permission to SCMS group disk space is assigned to the industrial partner (as a group). Only designated partner personnel and SCMS personnel with need for access to this data (Project Validation List discussed above) have permission to this group. No one else has access to this space. * During the production phase, some data may be temporarily stored on SCMS group CFS space. Such CFS space will be accessible only to those individuals on the Project Validation List. Likewise, because CFS access requires staging on Cray disk, the scratch file areas used for this staging will be accessible only by those same individuals. * Partner personnel perform all required data transfers from Partner data spaces (on supercomputer disk or CFS) to the SCMS file areas. At no time are personnel other than authorized system administrators given any access permissions to Partner data, file systems, directories or files. * At the end of the project operation, all data will be moved to partner designated space on CFS. This can again be performed from the Partner side, with no access to other Partner data, directories or files given to NCSA personnel to carry out these moves. Following this step, no data from the project will remain in disk space or file areas under SCMS control. A final note on the Sensitive Tape and Data Location List stating that this has been done will be made. Appendix 7 Administration SECURITY PLAN IMPLEMENTATION *Distributed Decision Environment - Dissemination of Responsibility to Managers *Managers to be responsible for discussing policy with employee *Managers to be responsible for exit interviews, including collection of keys, keycards, and photo id cards *Administration Involvement *Collection of security document acknowledgement, reports to Security Officer of any noncompliance *Administration, maintenance, and security of keys and keycard records *Administration of combination changes for the Computing Applications Building *Administration of changing locks, and reordering and disseminating keys, in conjunction with Facilities and the Security Officer *Administration of locking/unlocking basement corridor doors to the Computing Applications Building, and unlocking OS CAB doors when needed *Administration of ids for staff and visitors *Participation in training in conjunction with Security Officer *Close involvement with Security Officer and reporting of any non- compliance to Security Officer *Administration Implementation *Additional tracking mechanisms and reporting systems to be set up .