Today’s buzzword, “bring your own device” (BYOD) – i.e. the possibility of bringing your own tablet, laptop or smartphone to work – has long been established practice at CERN. The nature of our community, the comings and goings, new arrivals and departures on a daily basis, researchers from abroad, students, teachers and lecturers, requires flexibility in device provisioning. While CERN’s IT department supports centrally managed Windows laptops and PCs as well as centrally managed solutions for Linux systems, it is an unsurmountable challenge for them to provide any flavour of operating system for any type of hardware in any kind of language. But BYOD does not mean that you can do whatever you want…
Once you are connected to CERN’s wired or wireless networks, you are bound by CERN’s Computing Rules (also known as CERN’s Operational Circular No. 5) which requires you to always keep your system up-to-date, fully patched and protected against unauthorised access. In addition, the personal use of CERN’s computing facilities, i.e. its network, is regulated, must be limited in terms of resource consumption, and must not be detrimental to your official duties, constitute political, commercial or profit-making activity, or be inappropriate, offensive or illegal. While the CERN Computer Security Team is mandated to enforce the CERN Computing Rules and therefore automatically monitors all activity on its networks (see our Bulletin article on “Transparency for your privacy”), CERN also values your privacy (“Your privacy at CERN matters”) as governed by the office of data privacy protection.
Your personal device is yours and only yours. Neither your supervisor, line management or hierarchy, nor IT desktop support, ServiceDesk or local support personnel have the means to access your computer without your consent. If they do need to access your device, e.g. to help you to resolve computer issues, to install software or for any other reason, they should ask for your consent. The consent requirement also holds true for the CERN Computer Security Team. If this consent cannot be obtained, access is still possible with the explicit authorisation of the DG in accordance with CERN’s policy on “third-party access to users' accounts and data”. Your collaboration, however, is always appreciated to allow us to resolve and follow up on computer security incidents or to carry out fraud investigations.
Please let us know if you believe that your device has been subject to any unauthorised access by a third party within or outside CERN, in particular during (duty) travel. By the way, during any absence, CERN’s policy on “third party access to users' accounts and data” provides a procedure for a requestor to get access to data or a CERN-owned device – if genuinely needed, and only under very strong scrutiny.
Do you want to learn more about computer security incidents and issues at CERN? Follow our Monthly Report. For further information, questions or help, check our website or contact us at Computer.Security@cern.ch.