<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <link rel="stylesheet" href="/style.css" type="text/css" /> <script type="text/javascript" src="/jquery.min.js"></script> <title>CERN Computer Security Information</title> <script type="text/javascript"> $(document).ready(function(){ // Menu highlight var path = location.pathname.split("/"); if ( path ) { $('#main_menu a[href*="' + path[1] + '"][class!="noselect"]').addClass('selected'); // path[3] = /security/<xxxxx>/ $('#sidebar ul.sidemenu li[class!="noselect"]:has(a[href$="' + path.reverse()[0] + '"])').addClass('selected'); } // Add icon to external links $('a[id!=logo-img]').filter(function() { return this.hostname && this.hostname !== location.hostname;   }).after(' <img src="/images/external_link.png" alt="external link" title="external link"/>'); }); </script> </head> <body> <div id="wrap"> <div id="top-bg"></div> <!--header --> <div id="header"> <div id="logo-text"> <a id="logo-img" href="https://home.cern/"><img src="/images/CERNLogo2.png" width="59" height="59" style="margin: 10px" alt="CERN Logo"/></a><div id="logo-text-big"><a href="/home/en/index.shtml" title="">CERN Computer Security</a></div> </div> <div id="header-logo"><a href="/services/en/emergency.shtml"><img width=335 src="/images/emergency.png" alt="Computer Emergencies"/></a></div> </div> <!--header ends--> <div id="header-photo"></div> <!-- navigation starts--> <div id="nav"> <ul id="main_menu"> <li><a class="noselect" href="/home/fr/index.shtml"><img src="/images/fr.png" alt="FR"/></a></li> <li><a href="/home/en/index.shtml">Home</a></li> <li><a href="/rules/en/index.shtml">Computing Rules</a></li> <li><a href="/recommendations/en/index.shtml">Recommendations</a></li> <li><a href="/training/en/index.shtml">Training</a></li> <li><a href="/services/en/index.shtml">Services</a></li> <li><a class="secured" href="/reports/en/index.shtml">Reports &amp; Presentations</a></li> </ul> </div> <!-- navigation ends--> <!-- content-wrap starts --> <div id="content-wrap"> <div id="main"> <h2>Digital Privacy Statement of CERN's Computer Security Team</h2> <em class="titledate">2017/4/26 by CSO</a></em> <h4>Introduction</h4> <p>The CERN Computer Security Team ("the Team") takes great care to protect the personal data collected or accessed by us. This Privacy Statement describes how and when the Team gathers, accesses, uses and shares information about you or your usage of CERN's computing facilities and how the Team protects this information.</p> <h4>Scope</h4> <p>This Privacy Statement applies to all persons accessing or using CERN computing facilities, including websites hosted at CERN. It complements the CERN's Computing Rules, i.e. the Operational Circular No. 5 on the <a href="https://cern.ch/security/rules/en/OC5_english.pdf">Use of CERN Computing Facilities</a>, in particular its subsidiary rules, and <a href="https://cds.cern.ch/record/1202760">Administrative Circular No. 10</a> on Personal Data Protection.</p> <h4>Information Collection and Use</h4> <p>The CERN Computer Security Team automatically records information ("Log Data") created by your use of CERN's computing facilities in order to detect and understand any abuse of CERN's computing facilities as well as any other violation of the <a href="https://cern.ch/security/rules/en/OC5_english.pdf">CERN Computing Rules</a> in real time and/or in retrospect. </p><p> Log Data contains information on your digital access to CERN's computing facilities including access to the wired and wireless networks, unencrypted network traffic of your device(s) with external services on the Internet, as well as all your activities linked to CERN's interactive computing clusters and its web services. Log Data is always registered with an accurate time stamp. In detail, Log Data includes:</p> <ul> <li>Usage information when connecting your device(s) to CERN's wired or wireless networks (i.e. <a href="https://en.wikipedia.org/wiki/Address_Resolution_Protocol">ARP</a> and <a href="https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol">DHCP</a> meta data);</li> <li>Queries of your device(s) to CERN's <a href="https://en.wikipedia.org/wiki/Domain_Name_System">Domain Names Servers</a>;</li> <li>Network communication data gathered at CERN's outer perimeter firewall as well as at several internal network boundaries. This data includes <ul> <li><a href="https://en.wikipedia.org/wiki/NetFlow">"NetFlow" data</a> containing connection meta data, i.e. source and destination IP addresses as well as port numbers, connection duration and total payload size);</li> <li>the entire payload of unencrypted web traffic, i.e. <a href="https://en.wikipedia.org/wiki/Uniform_Resource_Locator">URLs</a>, name of the referrer, and web server/host name;</li> <li>full captures (so-called <a href="https://en.wikipedia.org/wiki/Pcap">"pcap" files</a>) of network traffic deemed suspicious by our network-based intrusion detection systems;</li> </ul></li> <li>Information about signing in and out using the CERN Single Sign-On portal, or using <a href="https://en.wikipedia.org/wiki/Secure_Shell">SSH</a> or <a href="https://en.wikipedia.org/wiki/Remote_Desktop_Protocol">RDP</a> connections into CERN's interactive computing clusters, including source and destination IP addresses and domain names;</li> <li>Data generated by your activities within a user session instantiated on CERN's interactive computing clusters (e.g. ADM/BATCH/PLUS/SWAN), i.e. <ul> <li>Any command(s) and parameter(s) typed or executed within the context of your user session(s);</li> <li>All network meta-data related with your session;</li> </ul></li> <li>Data generated by your activities when accessing web pages hosted on CERN's computing facilities, i.e. <a href="https://en.wikipedia.org/wiki/Uniform_Resource_Locator">URLs</a>, referrer, web server/host name.</li> </ul> <p> In addition, in order to proactively detect any malicious attempts to misuse your account(s), device(s) and data, any misconfiguration or vulnerabilities thereof as well as any violation of <a href="https://cern.ch/security/rules/en/OC5_english.pdf">CERN Computing Rules</a>, the CERN Computer Security Team in collaboration with the corresponding service providers perform automatic security scans of:</p> <ul> <li>your e-mails and e-mail attachments received from or sent to the outside of the Organization (the so-called <a href="/recommendations/en/bad_mails.shtml">"SPAM"</a> filtering);</li> <li>your device(s) connected to CERN's wired or wireless networks for identification of weaknesses and vulnerabilities (using e.g. <a href="https://nmap.org/">"nmap"</a> or <a href="http://www.openvas.org/">OpenVAS</a>);</li> <li>centrally managed Windows PC(s) using centralized <a href="/recommendations/en/how_to_secure_your_pc.shtml">anti-virus software</a>;</li> <li>your files stored on CERN's central file storage systems (e.g. using the centralized <a href="/recommendations/en/how_to_secure_your_pc.shtml">anti-virus software</a> or custom tools for detecting misconfigurations).</li> </ul> <p> Finally, within its mandate defined by the <a href="https://cern.ch/security/rules/en/OC5_english.pdf">CERN Computing Rules</a>, the Computer Security Team has the authority to request any other Log Data stored with CERN's computing facilities for resolving computer security incidents or violations of those <a href="https://cern.ch/security/rules/en/OC5_english.pdf">CERN Computing Rules</a>. </p> <h4>Information Security and Retention</h4> <p>Log Data is stored using the computing facilities provided by CERN's IT department. CERN makes best efforts to protect this Log Data from unauthorized access, or alteration, disclosure or destruction. Past experience has shown that a retention period of one year is sufficient to perform the analysis of security related events in retrospect, but this is subject to periodical reviews. Log Data linked with any abuse of CERN's computing facilities as well as any other violation of the <a href="https://cern.ch/security/rules/en/OC5_english.pdf">CERN Computing Rules</a> is kept indefinitely.</p> <h4>Information Access, Sharing and Disclosure</h4> <p> As stipulated in the <a href="https://cern.ch/security/rules/en/OC5_english.pdf">CERN Computing Rules</a>, access to Log Data is limited to members of the CERN Computer Security Team, i.e. a limited number of individuals appointed ad-personam by CERN's Computer Security Officer, and only authorized when suspicious activity or activity potentially violating CERN's Computing Rules related with your activity, account(s) or device(s) has been detected by or reported to the Team. In those cases, the Team may preserve or disclose your information only if deemed by CERN to be necessary for legal purposes; to protect the safety of any person; to address fraud, security or technical issues; or to protect CERN's rights or property. In particular, the Team reserves the right to disclose (parts of) your data promptly to third parties in order to avert any further harm to you, your account(s), your device(s) or your data. </p><!--p> Direct access by the CERN Computer Security Team to any data, in particular, access to personal data (e.g., the ~/private-folder on AFS or the "My Documents" folder on DFS) or mailboxes, as well as any demand made by a third party is treated according to the policy on <a href="https://cern.ch/dataprotection/home/en/data_access_by_thirds.shtml">"Third party access to users' accounts and data"</a>. </p--> <h4>Revisions</h4> <p>This Privacy Statement may be periodically revised. Prior versions of the Privacy Statement are archived and available here:</p> <ul> <li><a href="https://cern.ch/security/home/en/privacy_statement_20161115.shtml">2016/11/15</a></li> </ul> <p>All standardized CERN privacy polices can be found on the <a href="https://cern.service-now.com/nav_to.do?uri=%2Fu_privacy_policy_list.do">ServiceNow portal</a>.</p> </div> <!-- main ends --> <!-- SIDEBAR --> <!-- sidebar menu starts --> <div id="sidebar"> <ul class="sidemenu"> <li class="noselect"><b><a href="/home/fr/index.shtml"><img src="/images/fr.png"/> Vous pr&eacute;f&eacute;rez le fran&ccedil;ais ?</a></b></li> </ul> <h3>Emergency Response</h3> <ul class="sidemenu"> <li><a href="/services/en/emergency.shtml">What to do in an emergency</a> </ul> <h3>Contact</h3> <ul class="sidemenu"> <li><a href="/home/en/csirt.shtml">How to contact the Computer Security Team</a> <li><a href="/home/en/cvd.shtml">Coordinated Vulnerability Disclosure</a> <li><a href="/home/en/CERN/liaisons.shtml">Departmental & experiment liaisons <img src="/images/bullet_lock.png" alt="CERN login required"/></a> </ul> <h3>About CERN Computer Security</h3> <ul class="sidemenu"> <li><a href="/advisories/advisories.shtml">Advisories</a></li> <li><a href="/home/en/data_sharing.shtml">Data Sharing Guidelines</a></li> <li><a href="/home/en/about.shtml">Security is not complete without you</a></li> <li><a href="/home/en/privacy_statement.shtml">Privacy Statement</a></li> <li><a href="/home/en/kudos.shtml">Kudos!</a></li> </ul> </div> <!-- sidebar menu ends --> <!-- content-wrap ends--> </div> <!-- footer starts --> <div id="footer-wrap"> <div id="footer-bottom"> &copy; Copyright 2024<strong> <a href="https://cern.ch/security">CERN Computer Security Office</a></strong> <table> <tr> <td id="footer-info-left"> e-mail: <a href="mailto:Computer.Security@cern.ch">Computer.Security@cern.ch</a><br/> Please use the following PGP key to encrypt your messages:<br/> ID: 0x954CE234B4C6ED84<br/> <a href="https://keys.openpgp.org/vks/v1/by-fingerprint/429D60460EBE8006B04CDF02954CE234B4C6ED84">429D 6046 0EBE 8006 B04C DF02 954C E234 B4C6 ED84</a> </td> <td id="footer-info-right"> Phone: +41 22 767 0500<br/> Please listen to the recorded instructions. </td> </tr> </table> </div> </div> <!-- footer ends--> </div> <!-- wrap ends here --> <!--img height=30px src="/home/en/CERNfooter_800.png"--> </body> </html>