15 January, 2002

The computing environment at the JAC is fundamentally an open, trusted local network. Accordingly, the computing policies are designed to promote maximal ease of use, while providing reasonable security against both external and internal threats. Threats can be either intentional (i.e., network attacks, malicious destruction of data, etc.) or inadvertent (i.e., system crashes, network failures, etc.) - in any case, the security policy endeavors to

1. prevent threats from having negative impact on computing services,
2. detect attempted attacks or imminent inadvertent threats, and
3. recover from any successful attacks or failures.

The specific goals of the computing policies and procedures are (in an approximate priority order):

1. Ensure the availability and integrity of the operational (UKIRT and JCMT telescope control and data acquisition) computing systems, software, and observational data.
2. Ensure the availability and integrity of astronomical data reduction and analysis systems, software, and data.
3. Ensure the availability and integrity of general-use computing systems, software, and data.
4. Provide for rapid recovery if systems are damaged or compromised as a result of a malicious or inadvertent incident.
5. Ensure the confidentiality of JAC management data, observational and users' data files as required.
6. Prevent accidental or malicious damage to systems, software, and data.

All users of JAC computing systems, including visiting observers, are required to read and sign the Acceptable Use Policy. Special-access (i.e., root or special support) users are required to read, receive training on, and sign the Special Access Guidelines. The policies are included in this document.

B. Procedures

Computing is a rapidly evolving field and so it is accepted that the precise details of the JAC computing procedures are extremely dynamic. However, they are based on a few fairly fixed tenants, which can be summarised as follows:

1. System backups of all operational systems are taken daily. The exact details of the JAC backup strategy are given in the JAC Backup policy. If the systems are damaged or compromised, they can be restored to a known state, provided System Administrators are alerted within 30 days of the problem occurring.
2. An incident response procedure exists to deal with both internal and external threats. This covers deliberate attacks as well as inadvertent system failures, and details the steps to be taken for recovery.
3. Various logging, auditing, and verification software systems are installed to detect, or at least document, any external attacks on JAC systems. An ongoing effort is made to distill the logs and reports into a form that gives early warning of any problems.
4. Redundant disk arrays, redundant hardware and other technological solutions are used to minimize downtime in the event of hardware failures.

These notes provide guidelines for use of the JAC computing systems and resources. They are intended to increase awareness of computer security issues and to ensure that all JAC users (scientific users, support personnel and management) use the JAC computing systems, resources and facilities in an efficient, ethical and lawful manner.

Examples of activities which would be considered to interfere with the JAC's business mission, professional reputation or security are:

1. Using large amounts of system resources for purposes unrelated to the JAC, and to the detriment of other users.
2. Divulging any access information (e.g. login passwords, passwords to any protected system areas or resources, dialup phone numbers, or lists of user accounts), without prior authorization of JAC Computing Services.
3. Failing to report any weaknesses in JAC computer security, or any incidents of illegal use of JAC computing resources, to the proper authorities by contacting JAC Computing Services or by sending electronic mail to sysadmins@jach.hawaii.edu.
4. Sharing a personal JAC account. This includes sharing the password to the account, providing access via an .rhosts entry or other means of sharing.
5. Down-loading, or making unauthorized copies of copyrighted material, except as permitted by law or by the owner of the copyright. If in doubt, JAC Computing Services should be consulted.
6. Making copies of system configuration files for unauthorized personal use or to provide to other people/users for unauthorized uses.
7. Engaging in activities to: harass other users; degrade the performance of systems; deprive an authorized JAC user access to a JAC resource; obtain extra resources, beyond those allocated; circumvent JAC computer security measures or gain access to a JAC system for which proper authorization has not been given.
8. Sending from, down-loading, storing or printing on JAC systems any fraudulent, harassing or obscene messages and/or materials.
9. Down-loading, installing or running security programs or utilities which reveal weaknesses in the security of a system.
10. Down-loading, installing or running any executable programs which are not licensed for use at the JAC or adversely effect system performance or provide a security threat. In general, JAC Computing Services should be informed before you down-load software, and they should always be consulted if there is any doubt.
11. Activating any network services (WWW servers, FTP servers, etc.) on any JAC computers without the permission of JAC Computing Services.

Computer User's Name: _______________________________

User's Signature: _____________________________________ Date: ___________________________