Spacing
skip to content
Computer Security Information

It is important that NCI-Frederick users recognize the crucial role they play in keeping information technology (IT) resources safe at the NCI-Frederick.

Although you may not feel that anything on your computer is "mission-critical", malicious individuals can still use your computer to cause damage or gain access to others. By taking some very small precautions requiring little effort, you can greatly reduce possible threats to IT assets at the NCI-Frederick.

Over the past few years, increased threats to IT systems and data have lead to an increased focus on IT security, assurance, and policy compliance. Although we have summarized some of the most visible policies below, it is important to note that NCI-Frederick employees are required to follow all NIH IT Security Policies. C&SS IT Security Administrator and the NCI-Frederick Information Systems Security Officers (ISSO) work closely to ensure that these policies are implemented with minimal impact and monitored for compliance.

Points of Contact:

  • C&SS IT Security Administrator: Ross Smith
  • NCI-F Information Systems Security Officer (ISSO): David Cragg



Active Directory

Summary: NIH is consolidating all Active Directory domains under a single NIH umbrella.

Local Implementation: All AD-capable computers and user accounts at NCI-Frederick will be orderly migrated to utilize the NIH Active Directory. New systems and accounts will utiluze the NIH Active Directory.

Related Documents:

Patch Management

Policy Summary: NIH Patch Management Policy requires that critical security patches must be kept up-to-date on all systems connected to the network; automatic loading of patches should be employed whenever feasible. Automatic loading of patches is required on commodity desktops and organizations must be able to centrally report compliance with this policy.

Local Implementation: NCI-Frederick Computers must be configured to use an automated patch management service; the NCI-Frederick Windows Services Update Server (WSUS) is recommended for Windows-based computers.

Exceptions: Requests for exception must be made in writing to the NCI-Frederick ISSO.

Anti-Virus

Policy Summary: NIH Automatic Update of Anti-Virus Policy requires that all computers that use NCI-F network resources must have anti-virus software installed, configured to run at start-up, and active when connected to the NIHnet network. Automatic update software is required on user computers in order to keep anti-virus signature definitions current. Platforms that require additional intervention from vendors such as scientific instruments or equipment should be addressed on a case-by-case basis (or individually).

Local Implementation: NCI-Frederick Computers must be configured to use anti-virus; the NCI-Frederick McAfee EPO System is required for Windows-based user computers.

Exceptions: Requests for exception must be made in writing to the NCI-Frederick ISSO.

Other Resources:

C&SS Virus Information Page

FDCC (Desktop Core Configuration)

Policy Summary: the HHS Federal Desktop Core Configuration (FDCC) Standard for Windows XP was created in response to OMB Memorandum (M)-07-11, Implementation of Commonly Accepted Security Configurations for Windows Operating Systems (released on March 22, 2007). FDCC requires that certain configuration standards be met for all Windows-based (XP and newer) operating systems - please see the NIH FDCC FAQ for answers to frequently asked questions.

Local Implementation: NCI-Frederick Windows-based Computers must be configured to meet the HHS FDCC Standard; applying the settings via Microsoft Acive Directory Group Policy Object (GPO) is preferred.

Exceptions: A formal waiver must be submitted to the NCI-Frederick ISSO for review and evaluation. This includes users needing evaluated security level access to their local desktop computer (an "Administrator Account").

Encryption

Policy Summary: All laptop computers must be secured using a Federal Information Processing Standard (FIPS) 140-2 compliant whole-disk encryption solution; all mobile devices and portable media that contain sensitive agency data shall be encrypted using a FIPS 140-2 compliant product. A key recovery mechanism shall be used so that encrypted information can be decrypted and accessed by authorized personnel.

Local Implementation: Windows-based systems should be encrypted using the NCI-Frederick PointSec Encryption system and keys stored centrally in the NCI-Frederick PointSec key repository. Apple-based systems are approved to use Apple FileVault in the interim while a FIPS compliant solution is acquired. Systems that fall under this policy but can not be encrypted for technical or business reasons must be physically secured (preferably by cable-lock) at all times, properly labeled, and cannot be used to store or process sensitve data.

Exceptions: Requests for exception must be made in writing to the NCI-Frederick ISSO.

Central Purchase and Reciept of Computers

Policy Summary: NIH Initial Security Configuration Policy requires central purchase approval and delivery of all IT equipment to ensure it meets minimum security and set up configuration requirements.

Local Implementation: All laptops and desktop computers must be requisitioned on a NCI-Frederick Purchase Request. These computer systems are expressly prohibited from being ordered by program areas using the Purchase Card or Blanket Order processes.

Exceptions: None

Central Baseline Configuration of Computers

Policy Summary: NIH Initial Security Configuration Policy requires central delivery and baseline configuration of all IT equipment to ensure it meets minimum security and set up configuration requirements.

Local Implementation: NCI-Frederick Policy 108 - Baseline Configuration of Computers requires C&SS to perform baseline configuration tasks for computer equipment purchased by the NCI-Frederick. The Computer Service Helpdesk will serve as the point of contact for these activities.

Exceptions: A formal waiver must be submitted to the NCI-Frederick Helpdesk, Building 360, for review and evaluation.

Other Resources:

ABCC Security Policies & Guidelines

NIH Security Awareness Training

NIH IT Security Homepage