Voir en

français

Computer security: Rules: what’s allowed and what isn’t

The CERN Computing Rules govern the usage of CERN’s computing facilities, CERN’s wired and wireless networks including all devices connected to them

|

CERN has always valued its academic freedom, its international character and its openness, welcoming people from all over the world, giving them the opportunity to think outside the box and try something new, fostering creativity and avoiding placing hurdles in their way. It is this open and free environment that allows us to tackle the riddles of nature, to endeavour to understand the universe and its rules, and to advance fundamental research and technology. While such an open academic environment is paramount to the operation of CERN, it cannot be completely free of rules…

Rules are (maybe?) an annoying but necessary part of running an Organization like CERN. Rules are imposed on CERN by the Host States, e.g. for safety or radiation-related matters, and are also an essential ingredient in preserving the Organization’s independence. Rules are also enacted by CERN itself in order to enable peaceful and friendly coexistence inside the research community and, like anywhere else in the world, between people. At CERN, the Staff Rules and Regulations, its subsidiary Administrative and Operational Circulars, and the CERN Code of Conduct provide the official and “legal” framework for the proper and efficient functioning of the Organization: employment conditions and working hours; salaries and benefits; working conditions and safety precautions; access rights and control; as well as how to deal with alcohol problems, harassment and fraud.

The CERN Computing Rules, i.e. CERN’s Operational Circular No. 5 (OC5), govern the usage of CERN’s computing facilities, CERN’s wired and wireless networks including all devices connected to them, any computer centre service and the systems, data and applications running therein, any computing nodes and storage clusters for any kind of data processing, as well as any digital and connected device that is part of the accelerator complex or the experiments. Here too, academic freedom prevails and OC5 tolerates the personal use of CERN’s computing facilities as long as this use “is in compliance with [OC5] and not detrimental to official duties, including those of other users; the frequency and duration is limited and there is a negligible use of CERN resources; it does not constitute a political, commercial and/or profit-making activity; it is not inappropriate or offensive; it does not violate applicable laws.” As you can see, online as elsewhere at CERN, you are expected to respect the fact that this is a professional environment and to behave accordingly. The mandate of the CERN Computer Security Officer is to protect the operations and the reputation of the Organization against any cyber-threat; this includes verifying that the corresponding rules are being followed.

As outlined in the Bulletin article entitled “Transparent Monitoring for your Protection”, measures have been implemented to automatically validate the conformity of personal and professional activity with OC5 and its “Rules for personal usage”. Usually, this forms part of our logging and monitoring systems for the detection of intrusions, attacks and malicious deeds against CERN’s computing facilities from both outside and within CERN, as described in some depth in our Digital Privacy Statement. But besides our automatic tools, the Computer Security Team follows up any suspicious activity reported to them by CERN staff, users or third parties from outside the Organization (e.g. affiliated universities, security companies, individuals who are part of our computer “security” network, law enforcement agencies and the police). While we seek to maintain open access to the Internet (including for personal usage), we may in some rare cases block access to, for example, websites hosting malicious content (e.g. drive-by infections, CERN-like phishing pages) or other kinds of clearly illegal material. Please note, however, that you are always responsible for your own web browsing; the fact that you are able to access a website does not mean that it is legal or otherwise acceptable under OC5.

So, please refrain from any inappropriate or illegal usage of CERN’s computing facilities, CERN computers/PCs/laptops or any network belonging to CERN, and, for example, do not browse or download offensive material (see “Offensive Public Browsing”), do not post commercial messages on CERN webpages, do not mine crypto-currencies as the resources (electricity, CPU cycles, etc.) are needed by CERN for other purposes (see “Computing power for professionals… only!”), and do not share music, videos or software if you do not have the proper authorisation to do so (see “Music, Videos and the Risk for CERN”). Otherwise, you must face the fact that virtual misconduct might be detected, reported and have real consequences (“Virtual Misconduct – Real Consequences”)...

 

Do you want to learn more about computer security incidents and issues at CERN? Register to receive our monthly report. For further information, questions or help, check out our website or contact us at Computer.Security@cern.ch.