24 Dec ArtSciLab Cyber Security Policy: Overview and Review
Author: Collins Mwange, Dec 24, 2024
Audio Deep Dive
Policy Overview
ArtSciLab’s cybersecurity policy manual outlines procedures for protecting lab technology and information assets. It details classifications for information and computer systems, specifying access levels and user responsibilities. The policy addresses various security threats, including insider threats, hackers, and vulnerabilities. It establishes acceptable use guidelines, penalties for violations, and procedures for handling security incidents. The document emphasizes user accountability and proactive security measures to maintain the lab’s data integrity and system availability.
Policy Manual PDF
Policy Briefing
Overview: This briefing doc summarizes the key themes and important facts outlined in the “ArtSciLab Cyber Security Policy” document, version Spring 2025.
Purpose: The policy aims to inform all lab users (faculty, staff, students, visiting researchers, etc.) about their responsibilities in protecting lab technology and information assets. It outlines acceptable use policies, internet access rules, and procedures for handling security incidents.
Key Themes
1. Asset Protection: The policy prioritizes the protection of lab assets, including:
- Hardware: Computers, servers, printers, etc.
- Software: Operating systems, applications, databases, etc.
- Information: Classified as confidential or non-confidential.
2. Threat Identification: The policy acknowledges various threats:
- Internal: Lab members potentially cause damage through negligence or malicious intent.
- “One of the biggest security threats is system users. They may damage lab systems either through incompetence or on purpose.”
- External: Amateur hackers, criminal hackers, and nation-state actors exploiting vulnerabilities.
3. Layered Security Approach: The policy advocates a multi-layered security strategy:
- Access Control: Unique user IDs and passwords, 2FA, special access accounts with limited privileges, and physical access control through key cards.
- Network Security: Firewalls, intrusion detection systems, secure remote access via VPN.
- Vulnerability Management: Regular patching of devices and software, penetration testing, and vulnerability scanning.
- User Training: Mandatory cybersecurity awareness training for all lab users, including visiting researchers.
4. Acceptable Use: The policy clearly defines acceptable use of lab resources:
- Business Use Only: Personal use of lab computer systems is prohibited.
- “User accounts on lab computer systems are to be used only for business in the lab and not to be used for personal activities.”
- Internet Usage: Permitted for research purposes only, with restrictions on inappropriate content.
- TikTok Ban: According to Texas state government orders, TikTok is prohibited on all lab devices and devices connected to the UTD network.
5. Incident Handling: Clear procedures are outlined for reporting and handling security incidents:
- Immediate Reporting: Lab members must immediately report suspected incidents to the security administrator.
- Preservation of Evidence: Affected computers must be left untouched to assist with investigations.
Important Facts
- Information classification is based on confidentiality levels (Red, Green, White, Black) and determines access privileges.
- Passwords must adhere to complexity requirements and be changed every 365 days.
- User activity, including internet usage and email communication, can and may be monitored by the lab.
- Violation of the security policy can lead to disciplinary actions, including dismissal.
Quotes
- “The lab has the right and capability to monitor electronic information created and/or communicated by persons using lab computer systems and networks, including e-mail messages and usage of the Internet.”
- “Lab members, who believe their terminal or computer systems have been subjected to a security incident, or have otherwise been improperly accessed or used, should report the situation to the lab’s security administrator immediately.”
Conclusion: The ArtSciLab Cyber Security Policy provides a comprehensive framework for protecting lab assets and mitigating cybersecurity threats. Its emphasis on user education, access control, and incident response procedures highlights a proactive approach to ensuring a secure research environment.
FAQs
1. What information is considered confidential in ArtSciLab?
Confidential information in ArtSciLab is any data that cannot be disclosed to individuals outside the lab. This includes information stored on computer systems, databases, and other digital platforms. Access to confidential information within the lab is granted on a need-to-know basis, as determined by the lab director. Examples of confidential data include research data, personal information of lab members, and sensitive project details.
2. What are the different classifications of computer systems in ArtSciLab, and what do they signify?
ArtSciLab uses a color-coded system to classify its computer systems based on the level of security required:
- RED: Systems containing confidential information and providing mission-critical services vital to lab operations. Access is strictly controlled, and failure of these systems could have severe consequences. Example: Server containing research data and financial information.
- GREEN: Systems that do not contain confidential information but can be used to access RED systems. These systems require a moderate level of security. Example: Staff workstations used to access research databases.
- WHITE: Isolated systems that are not externally accessible and do not contain sensitive information. These systems are used for specific purposes like software testing. Example: A standalone system for developing new software applications.
- BLACK: Externally accessible systems that are isolated from RED and GREEN systems by a firewall. These systems do not contain confidential information but may provide important services. Example: A public web server hosting non-sensitive lab information.
3. What are the responsibilities of ArtSciLab users regarding the use of lab computers and the internet?
ArtSciLab users must adhere to the Acceptable Use Policy, which outlines responsible use of lab resources. Key responsibilities include:
- Using lab computers and the internet for business purposes only, avoiding personal activities.
- Protecting confidential information accessed or stored on their accounts, including passwords.
- Refraining from activities that could harm the system or other users, such as harassment or unauthorized access attempts.
- Reporting any security weaknesses or policy violations to their supervisor or the security administrator.
- Using the internet for research-related purposes only, avoiding inappropriate or illegal content.
- Adhering to the ban on TikTok usage on all lab devices and networks, as per the Texas Governor’s order.
4. What are the password requirements for ArtSciLab user accounts?
To maintain security, users must follow these password guidelines:
- Passwords should not be dictionary words or common phrases.
- Passwords must not be written down or stored insecurely.
- Passwords must be changed every 365 days (1 year).
- Two-factor authentication (2FA), such as the Duo Authentication app, must be used in conjunction with passwords.
5. What is the procedure for reporting security incidents in ArtSciLab?
If a lab member suspects a security incident, such as unauthorized access or system compromise, they should immediately report it to the lab’s security administrator. It’s important NOT to turn off the computer or delete suspicious files, as this could hinder the investigation. Leaving the system in its current state helps identify the source of the problem and implement appropriate remediation measures.
6. How does ArtSciLab handle security violations?
ArtSciLab takes security violations seriously. Depending on the nature and severity of the violation, disciplinary actions can range from mandatory cybersecurity training to termination. The lab director may also refer the incident to law enforcement agencies for potential criminal charges.
7. What are the restrictions on connecting devices to the ArtSciLab network?
Only authorized devices, such as lab-owned computers and approved network infrastructure devices, are allowed to connect to the network. Users are prohibited from connecting personal computers, unauthorized storage devices (e.g., flash drives), or any devices that could compromise network security.
8. What are the guidelines for remote access to the ArtSciLab network?
Remote access to the lab network is permitted only for authorized individuals with a legitimate need. Acceptable methods for remote connection include secure VPN or SSH. Users are prohibited from installing personal remote control software, as this bypasses the lab’s secure access methods and poses a significant security risk.
AI Use Policy: GenAI was used to generate this blog article (audio + text).
Collins Mwange
Posted at 14:00h, 24 DecemberHello ASL members,
After thoroughly reviewing the ASL Cyber Security Policy, please add your reviews as comments below. Your reviews need to be incorporated into the final document.
The review could be a suggestion, clarification, or question.
roger frank malina
Posted at 13:59h, 07 Januarythe 30 minute video at the top of the document is too long- 32 minutes- the neuroscience of attention span indicates very few people will listen that long- shorter segments designed fro the lab members attention span makes sense
Admin
Posted at 17:11h, 08 JanuarySure.
We’ll let NotebookLM know that. They generated the deep-dive podcast.
roger frank malina
Posted at 14:02h, 07 Januarythis document is a generic policy document not very different than ones UTD has in place- how has this policy been modified specifically for members of the artscilab- for instance we have students of many different majors working in the lab and the concept of intellectual property/theft is different in art professions, business for interest who must be included as a co author of a research or art project
Admin
Posted at 17:48h, 08 JanuarySince ArtSciLab is an entity within UTD, the ASL security policy isn’t going to be very different from UTD’s or any other institution withing the UT System. The point of an IT Security policy isn’t to be novel but to address the main points of security concern. This is why a policy of one company isn’t very different from a policy of another company in the same industry. That said, the ASL Security Policy does narrow down to specific scenarios that are unique to ASL that UTD Policy (found here: https://policy.utdallas.edu/utdbp3096) doesn’t address.
Finally, a security policy isn’t affected by the backgrounds of the stakeholders/employees but by the security landscapes, needs, and risk appetite of the organization. As for intellectual property/copyright law, a Security Policy doesn’t always address that as it is properly addressed in the DMCA (found here: https://www.govinfo.gov/content/pkg/PLAW-105publ304/pdf/PLAW-105publ304.pdf).
roger frank malina
Posted at 14:04h, 07 Januarythe policy says it apples to physical property such as computers etc but there are NO labels on the equipment indicating that they belong in the lab, and to my knowledge inventories are not taken regularly
perhaps the policy must link to an implemenntation plan and annual report so that a reader of the policy understands how it is actually implemented
roger frank malina
Posted at 14:07h, 07 Januaryperhaps this is an implementation problem not a policy problem – but an appendix with an implementation report would help- to my knowledge the lab has no written procedure for removing access to membesr when they resign or leave and it is a haphazard profess- some is lab door access removed to the physical lab when someone resigns or graduates
Admin
Posted at 17:56h, 08 JanuarySecurity Policy contains the written procedure for removing access to members when they resign or leave. With this policy, there’s now a written procedure.
roger frank malina
Posted at 14:09h, 07 Januarypage 6 says i have to report incidents of misuse of violation- in these comments i have reported violations ( eg no inventory review of computing equipment in the lab) will these comments i am submitting be converted to violation reports that will be addressed or do i have to submit it somewhere else
Admin
Posted at 18:04h, 08 JanuarySince this is a security policy, it does not address management issues like inventory management. The policy talks of reporting “security” incidents or violation of the “Security” Policy.
Omer Ahmed
Posted at 18:38h, 09 JanuaryI think the video is too long. The document, I liked the 7 page version better but this is fine as well. Maybe make a shorter version as well! Notebook LM seems like such a cool tool!
Can you please update this document on the Art Sci Lab website as well?
Admin
Posted at 23:49h, 09 JanuaryBy video, I suppose you mean audio. As far as I know, NotebookLM doesn’t give the option to specify how the audio deep dive should be (like how long it should be). However, due to public demand, I went and recreated the audio again and this time it came out 15 mins short! It just has more hallucinations – for example, it hallucinates that “ArtSciLab is a fictional lab at UT Dallas.” Nonetheless, I like the “cat videos” part.
I suppose by “the 7 page version” you mean the ‘cybersecurity training manual’. Normally the security policy is longer than a security training manual. The reason is, a security policy should be exhaustive – address every security concern – while a security training manual is only supposed to address the main security concerns.
Eventually, the security policy will be published on ArtSciLab. However, for review purposes, we chose to use CDP website because it allows interaction, ASL website doesn’t. The CDP allows readers to comment, to react on the content they see. ASL is a one-way website. Site visitors can only read whatever is posted but they can’t react to it.