Information Security Policies: General Guidelines

Guideline Content

1. Goals

These guidelines are a summary of the Weizmann Institute of Science's information security policies and are designated for all Institute users. The guidelines refer to various use cases, with the purpose of clarifying general information security aspects, including the management of personal employee information, and data belonging to the Institute, which is under employees' responsibility. 

2. Terms and Definitions

End user: a Weizmann Institute employee or external worker who, in the context of his/her work, uses Institute information systems, and/or is exposed to internal information (hereinafter “the user”).

Information integrity: full parity between data in the information repository and original data. All original data, and only the original data, must be stored in the information repository, without any unnecessary modification.

Information confidentiality: protecting the information content from entities not authorized to use the information.

Information availability: the ability to access the data on demand.

Information security: the collection of actions and measures taken to ensure information integrity, confidentiality, and availability.

User ID: a unique ID allocated to each individual user at the Institute, for information system identification purposes.

Password: a field containing a number of characters, which, together with the user ID, serves to authenticate the user’s identity in the information system.

Malicious software (malware): software designed to be distributed among computers and cause damage to the information systems.

Anti-virus: software designed to detect and block malicious software on the computer on which it is installed. Malicious software is detected through an updated list (signature file) of widespread existing virus types.

Classified information: internal information, which, if exposed, may cause significant direct or indirect damage to the Institute, including personal employee information, sensitive commercial information, and credit card information.

Internal information: all Weizmann Institute information that may damage the Institute if disclosed to unauthorized parties. The majority of the information at the Institute should be regarded as internal and may not be used for any non-work-related purposes.

Protection of privacy law: a state law protecting citizens' privacy, with emphasis on personal details stored in computer information systems. Should a person’s privacy be compromised, the law places liability solely on the owner of the information or information repository, and not on the parties making illegal use of the information.

3. Confidentiality
   1. The Institute is legally committed to safeguard the confidentiality of the information – according to the Protection of Privacy Law, various regulations, and additional laws. All users are responsible to keep the data to which they are exposed in the course of their work confidential.
   2. Each employee will sign a declaration of confidentiality prior to the beginning of the employment.
   3. Users are prohibited from unnecessarily accessing information or trying to access information for which they have no authorization in the context of their roles.
   4. Information may be disclosed to customers and suppliers only specifically and directly to the agent representing the customer or supplier, and following positive identification.
   5. It is prohibited for users to provide information to any external agent, beyond the scope of the Institute's ongoing activities.

4. Sensitive Information

Should you, as an Institute user, have access to sensitive information, you are obligated to protect it against damage, loss, misuse, or unauthorized access. Sensitive information includes, but is not limited to, information enabling personal identification of students or other Institute employees, medical information, and information on finances, fundraising, and contributions.

The following are instructions on safeguarding sensitive information on your personal computer:

1. Keep your personal computer locked or logged off when not in use.
2. Set up a password-protected screensaver, to ensure automatic screen locking when your computer is idle.
3. In general, it is recommended not to store files containing sensitive information on personal computers, only on servers/systems dedicated to this purpose (for example: employee personal files).
4. Beware of inadvertently disclosing sensitive information while on the Internet or when using file-sharing services.
5. Any security breach or problem on a computer hosting sensitive information, including loss of a computer, must be reported to the information security supervisor and faculty computing administrator.

5. User ID Usage
   1. User IDs are intended for employees' personal use only, and only as a means of fulfilling the duties of their positions.
   2. It is strictly forbidden for employees to enable any other party (internal or external) to make use of their personal user ID. Additionally, employees are strictly forbidden from using other employees' user IDs and/or passwords, even if these have been willfully provided to them.

6. Personal Password Usage
   1. The password is the key for access to information. It must therefore be kept completely private and confidential. Never disclose your password to any other party, including other Institute employees.
   2. Users must select a non-trivial, difficult to guess password, as per the Institute's password policy. It is recommended that passwords contain at least eight characters, with both upper- and lowercase letters, digits, and special characters. We recommend selecting at least an eight-letter word, broken apart as described above. For example, the word "noaccesshere", can be broken up into "N@Acc$55Her!".
   3. Do not make note or store your password at any location, where it can be accessed without strong authentication (i.e., do not jot it down on a piece of paper, affix it onto your computer screen, and so on.)
   4. Passwords should be changed frequently. We recommend changing passwords once every 180 days, or in any case of suspected compromise of information confidentiality or your password.

7. Leaving a Workstation
   1. Employees are responsible for ensuring that no party or user other than themselves can make use of their information platform and workstation when logged in with their personal user ID.
   2. Employees leaving their workstations will lock their computer, so that a password must be entered to unlock it.
   3. Confidential information hosted on information platforms must be stored away securely, when the user is absent from his or her station.
   4. Users who suspect unauthorized use of their information platform or login credentials, must promptly report this to their direct manager and to the information security supervisor.

8. Employee Software Usage
   1. It is strictly prohibited to install unauthorized software, such as unlicensed applications, on Institute computers.
   2. When users require software that is not installed on their computers:
   3. It is recommended that they will request its installation from the faculty computing administrator or Service Desk.
   4. When a licensed software or open-source software is urgently needed, employees will use their discretion regarding the software's source and/or the website where it is offered for downloading prior to its installation. Many sources for software downloads are unsafe, and run the risk of installing malware along with the downloaded software on the user's computer that will not be visible to the user. In case of doubt, the user will consult with the faculty computing administrator or the Service Desk.
   5. Making unauthorized copies of software is illegal and may incur legal complications, including civil and criminal liability. Do not make use of unauthorized software copies.

9. IT Infrastructure Usage
   1. The Institute's IT infrastructure is intended to assist employees in carrying out their work and for no other purposes.
   2. It is forbidden for users to make any use of Institute computer platforms beyond their work and in the context of their official role.
   3. Access to Information Systems for work-related purposes requires employees to use the Institute-defined login/identification means.
   4. It is forbidden to conduct any personal activities, as detailed below:
      1. Development/execution of software for personal or commercial purposes, or for any purposes beyond the scope of the Institute's ongoing activities.
      2. Use of Institute software and/or information systems for any need other than the needs of the Institute itself.
      3. Duplication of software and files developed by Institute employees, and appropriation/use of these software assets/files for purposes other than those of the Institute.
      4. Duplication and/or distribution of software products (including professional documentation), and use of duplicates – with all subsequent repercussions.

10. Mobile Computing Device Usage

While mobile devices, such as laptops, tablets, and smartphones are a convenient means for storage and utilization of information, their portability also makes them a popular target for thieves. The following measures may assist you in protecting these devices, as well as the sensitive information they may carry:

1. Back-up data and information stored on the device – via cloud or backup services provided by the IT Infrastructure Branch and/or by faculty computing administrators, or any other reliable service enabling device data backup.
2. Secure mobile devices with access passwords.
3. Do not store or transfer information over information platforms not officially supplied by the Institute and scanned for malware.
4. Mobile computing devices, such as laptops and tablets, will be labeled as official Institute property.
5. It is recommended that you install and run a local firewall on every mobile computing device supporting this feature. Firewall installation will be performed by the faculty computing administrator. Should you require assistance in configuring the firewall, please contact the Institute's Information Security Section team.

11. Wireless Networks

The Institute operates wireless networks that serve employees, guests and others. Some are set up as “public” networks; i.e., they provide users with access to the Internet, yet block any access to Institute resources. WIS_HotSpot and other such networks, for example, are open and require no user authentication. Other networks require authentication and provide employees with the convenience of access to Institute resources. Given the relative ease with which anyone can connect to public networks, users must apply extra caution when connecting to such networks off Institute premises.

1. "Pop-up windows" that appear during connection to public networks are a common trick facilitating installation of viruses and other malware. Should you be presented with a pop-up notification while using a public hotspot, examine it carefully, especially during the process of establishing the connection, unless you are absolutely certain of its credibility.
2. Never enter sensitive information on the Internet, unless you are certain the information is encrypted. Encryption is often indicated by lock icon in the browser, or by URLS beginning with 'https://'.

12. Remote Access
    1. Terminate connection upon conclusion of remote access to Institute information systems. Connections to the Institute are terminated automatically upon 8 hours of inactivity.
    2. Remote access by external contractors will remain active for the duration of the service being rendered only, and will be terminated immediately upon service completion.

13. Malware, Viruses and Bots
    1. Malicious software may severely damage Institute information systems. Follow these guidelines to minimize such threats:
    2. It is forbidden to Install unauthorized software, such as unlicensed applications.
    3. Always scan files from external sources with antivirus software prior to use/installation.
    4. It is forbidden to insert external media into workstations not equipped with an up-to-date antivirus program.
    5. Like all other software applications, antivirus software will be installed and updated by authorized personnel only. Employees who think the antivirus software on their computer is missing or outdated should contact the faculty computing administrator or call the Service Desk at extension 4444.
    6. Any detection of viruses on Institute computers must immediately be reported to the faculty computing administrator and Information Security Section. Refrain from performing any activities on the infected computer, including turning the power off.
    7. Malware handling will follow the Information Security Incident Response procedure.
    8. To minimize potential vulnerability to various malware, make sure that the operation system and various software are regularly updated by security patches. It is recommended to initiate updates (including Windows, Adobe, and Java updates) on a weekly basis.
    9. Do not allow files of unknown source or functionality to run a macro. Macro commands are often used to disseminate viruses and gain control of workstations. Files containing macros can be identified by their file extension, such as .XLSXM, .DOCXM, and others.

14. Internet Usage
    1. Internet access is provided to employees authorized for such access so as to assist them in work-related tasks.
    2. All Institute regulations and procedures associated to privacy, sexual harassment, information security, and confidentiality apply when the Internet is used.
    3. The transfer of sensitive information regarding the Institute or its employees via various Internet network applications without adhering to Institute procedures is prohibited.
    4. During Internet use, browser warnings may appear regarding encrypted web pages or faulty digital certificates. Pay attention and apply caution, it is possible that a site you are attempting to access is fraudulent. If you are not sure how to proceed, contact the Information Security Section team.

15. E-mail Usage
    1. E-mails provide an opportunity to improve and strengthen internal and external communications, but also presents numerous risks, such as potential information exposure, virus distribution, and system disruptions.
    2. Institute e-mail serves to fulfill work-related purposes and tasks only.
    3. All Institute regulations and procedures associated to privacy, sexual harassment, information security, and confidentiality apply to e-mail use.
    4. Do not send by e-mail any sensitive unencrypted information or data about Institute entities, including credit card information.
    5. Do not open e-mail messages or attachments from an unknown origin. In case of doubt, the Information Security Section can be contacted for a security scan to verify file integrity.
    6. Special caution must be applied when receiving e-mail messages informing of wins or requesting a password change due to e-mail-related problems, and so on. These may likely be phishing attempts and should be promptly deleted.
    7. Do not respond to unsolicited messages; spammers may use your reply, even if it is merely an "unsubscribe" request, as proof that your e-mail address is a valid one.
    8. Do not purchase anything offered through spam. Its sources are highly questionable.

16. Printer and Fax Usage
    1. When using shared printers, located in public spaces, keep in mind that the printed material is exposed to other users, and apply caution according to its confidentiality level. It is the user's responsibility to ensure that the material is not collected by any other person.
    2. Printed material should not remain on printers. If a printout is not needed, adhere to the instructions specified above (under paragraph 7. Leaving a Workstation).
    3. Apply discretion in transmitting information via fax, and consider the risks involved. When using shared fax machine situated in a public space, make sure that the document is not collected by anyone else.

17. Protection of Privacy Law Application
    1. The Protection of Privacy Law defines any disclosure of information about a person, who may be explicitly identified through such disclosure, as an offense.
    2. Every employee must strictly safeguard the confidentiality of information covered by the Privacy Protection Law.
    3. If an employee believes that protected information has leaked to unauthorized parties, he or she must immediately report this to the information security supervisor.
    4. Personal medical information is deemed as highly sensitive, and is subject to specific laws, such as HIPAA (Health Insurance Portability and Accountability) acts or standards in many countries. If you have access to such records, make sure to implement further security measures, as follows:
       1. Ensure, as much as possible, the records are stored in a protected and isolated environment.
       2. Ascertain that the records are regularly monitored, so as to detect any attempt at either authorized or unauthorized access.
       3. Refer any question or request for clarification on medical data-related information to the information security supervisor.

18. Social Engineering

Hackers often try to gain confidential information through attempts to contact employees, or by applying various types of fraud intended to enable them to obtain confidential information on guidelines, employees, etc. Here are some guidelines that may help reduce the risk of unauthorized access to confidential information:

1. Verify the identity of people attempting to contact you. If you are not able to identify them, refrain from providing them with sensitive information pertaining to the identity and status of Institute employees.
2. Do not divulge details about yourself or about employees to whom requests for information are addressed. Refer such requests to Human Resources.
3. Do not expose information related to personal computers or other computing systems, software or Internet links, unless you can verify the identity of the person requesting this information and his/her need to know.
4. Under no circumstance are you to ever disclose your personal password to anyone, regardless of the urgency of the need being expressed.
5. If you believe you have received an inappropriate request for information, report this to your manager.

19. Reporting Obligations
    1. Users must report any attempted or actual use of their authentication credentials by others to the information security supervisor.
    2. Any attempt to breach the information security guidelines specified in Institute procedures must be reported.
    3. In any case that poses a potential risk of a security breach, report immediately to the information security supervisor.

20. Release of Information outside the Institute
    1. Information platforms containing internal information, including credit card data, must not be released outside the Institute, unless approved by the information security supervisor. Additionally, no sensitive/confidential information may be transferred to external parties without prior information security supervisor authorization.
    2. When information is released outside the Institute, employees must properly secure it against any party's compromising its integrity, availability, and confidentiality, according to guidance provided by the information security supervisor.
    3. Information may only be transferred to external parties who have signed a written non-disclosure agreement.
    4. Release of information outside the Institute will only be performed through channels ensuring information confidentiality and integrity, and enabling information tracking.
    5. Documentation of the released information/content will be submitted to the information security supervisor.
    6. Information released outside the Institute is to be returned, as required, at the earlies opportunity.

21. Information Transfer Channels
    1. Information in hardcopy is to be transported in a sealed/secure envelope, and its delivery signed for by the recipient.
    2. Electronic transfer:
       1. If the external party possesses a virtual vault, files will be transferred directly to it.
       2. Information transfer by e-mail must be performed through a secure e-mail mechanism (symmetrical encryption).
       3. Information transfer by public communication channel is to be performed subject to encryption of said communication channel.
       4. Detachable media – files transferred to an external party using detachable media are to be password-protected during media transport.
       5. The password will be transmitted separately, along with a document specifying information security recommendations.
    3. It is recommended that information dispatched to various parties by means other than e-mail will be encrypted and sealed in a secure envelope.