All Laboratory personal computers, computing systems, and their associated communication systems are to be used only for official Laboratory business. By signing for a Jefferson Lab computer account, users signify their agreement not to misuse the Jefferson Lab computing complex and accept responsibility for any activity associated with their username and password.

Password Protection Rules:

• Do NOT give your password to anyone.
• Use a password that you can memorize so that it does not have to be written down. In situations where a written copy is necessary, insure that it is safely guarded in a secure location.
• Do not share your passwords for file access. If you need to share files with another user, please contact the Computer Center to have a secure method of sharing arranged.
• You must change the temporary password you will be issued when you first receive a computer account. Your password on all systems must be at least 8 characters long. Password changes are required at six month intervals.
• As with any password, do NOT use anything having to do with your name, the names of your family members, or Jefferson Lab. Do NOT use any word that would be in a dictionary. Consider including a few numbers, misspelling a word, or use letters that actually stand for the first letter of each word in a title or sentence.
• Report any suspicious login failures to your account to the Computer Center.
• Managers of computer systems not under the administration of the Computer Center are also responsible to insure that the systems under their control adhere to secure password management strategies. The Jefferson Lab Computer Center is required to inform the staff members involved and their line management whenever computer systems which are in violation of these policies are brought to the attention of the Computer Center.
• Remember that the security of all of Jefferson Lab's systems can be compromised if you compromise your password!

Multi-Factor Authentication (MFA) / Smartcard Protection Rules:

• Do NOT share your Smartcard or MFA device with anyone
• Do NOT share your PIN to anyone
• At a minimum, a 6-digit numerical PIN is required for all MFA devices
• You are required to take your Smartcard with you when you leave your computer
• Computers within a sensitive enclave, such as Business Services (BSN), are to be configured such that screen locks start automatically when a Smartcard is removed
• To access sensitive data, initial login on JLab systems (desktop, laptop, conference rooms, etc.), must be done using MFA
• Users that work in areas that require multiple, simultaneous console logins should contact the CST Division Help Desk.

Software Protection:

Users are responsible for ensuring that the spirit and letter of the laws for copyright and trademark protection are followed to protect both the individual and the Laboratory. Only legal copies of copyrighted software are allowed to be on Jefferson Lab computer systems including personal computers. Users may not copy nor distribute any licensed or proprietary software without the approval of the author and/or organizational owner. In addition to commercial products, software developed at Jefferson Lab may not be distributed beyond the Laboratory without formal release authorization.

The Jefferson Lab Computer Center is required to inform the staff members involved and their line management whenever computer systems which are in violation of these policies are brought to the attention of the Computer Center. For example, the Computer Center cannot and will not be put in the position of restoring policy violating software from failed disk systems on to new disk systems.

Backups:

The Computer Center provides regular backups of all data on the computers which it manages. All operators of all computer systems not directly managed by the Computer Center are responsible for the security and integrity of all hardware and software including the data files on their computer system. In view of the fact that the software, files, and the time to create the files and equipment are Jefferson Lab investments, employees are responsible for insuring that these resources are neither corrupted nor lost. The Jefferson Lab Computer Center is required to inform the staff members involved and their line management whenever computer systems which are in violation of these policies are brought to the attention of the Computer Center. For example, the Jefferson Lab Computer Center will make reasonable effort to save the files on a failed disk, but we are required to inform line management if proper backups are not also available. Various mechanisms can be used to back up data stored locally on personal computer systems including flash drives, or other external storage devices. Please contact the Computer Center for assistance in implementing an appropriate backup method for your activity.

Appropriate Use:

On all Jefferson Lab computer systems, the only authorized work is that which is connected with the research, design, construction, and operation of Jefferson Lab, its associated and authorized research, development, and administrative and support activities, and its associated JSA, LLC supported activities. Examples of fraudulent and improper use include, but are not limited to: personal holiday greeting generators, party invitations, poetry, personal letters, personal finance programs, pornography, investment programs, recipes, outside organizational membership lists, and programs used for personal gain or entertainment. Users are also charged to use resources cooperatively with other users. This responsibility includes monitoring background and interactive jobs to insure that other users are not excluded from the use of central resources, releasing limited licenses after appropriate time periods so that others may access them, and making special arrangements for high priority or high resource dependent jobs.

In order to assure that the above policies are being followed, the Jefferson Lab Computer Center has the responsibility of periodically inspecting user files and user activities.

In order that a usable, secure, and robust computing environment be maintained, the Computer Center and Cyber Security Team is responsible for removing from the Lab's networks and systems any equipment or software that poses a threat to operations or network stability. Restrictions may be placed on use of specific software, network protocols or activities that pose potential security hazards. Any computer user who persists in the installation or use of such equipment or software or persists in performing restricted activities is subject to loss of computing privileges and to applicable administrative measures as described in the Jefferson Lab Admin Manual.

Incident Reporting:

Any indications of operational problems with the central network and computing facilities should be reported to the Helpdesk.

The Laboratory does no classified work and does not have appropriate controls to manage classified information. The presence of classified material on site is considered to be contamination of our systems. Immediately report the presence of any classified information to the CIO, Site Security Manager, or Computer Security Manager to allow the prompt containment of the information. Do not attempt to copy, delete, or move apparent classified information using computer commands and utilities. Technical guidance will be provided for the sanitization of systems and storage facilities.

Report all computer-related security incidents to the Cyber Security Manager or to the Helpdesk.