Digital Privacy Statement of CERN's Computer Security Team

2016/11/15 by CSO

Introduction

The CERN Computer Security Team ("the Team") takes great care to protect the personal data collected or accessed by us. This Privacy Statement describes how and when the Team gathers, accesses, uses and shares information about you or your usage of CERN's computing facilities and how the Team protects this information.

Scope

This Privacy Statement applies to all persons accessing or using CERN computing facilities, including websites hosted at CERN. It complements the CERN's Computing Rules, i.e. the Operational Circular No. 5 on the Use of CERN Computing Facilities, in particular its subsidiary rules, and Administrative Circular No. 10 on Personal Data Protection.

Information Collection and Use

The CERN Computer Security Team automatically records information ("Log Data") created by your use of CERN's computing facilities in order to detect and understand any abuse of CERN's computing facilities as well as any other violation of the CERN Computing Rules in real time and/or in retrospect.

Log Data contains information on your digital access to CERN's computing facilities including access to the wired and wireless networks, unencrypted network traffic of your device(s) with external services on the Internet, as well as all your activities linked to CERN's interactive computing clusters and its web services. Log Data is always registered with an accurate time stamp. In detail, Log Data includes:

  • Usage information when connecting your device(s) to CERN's wired or wireless networks (i.e. ARP and DHCP meta data);
  • Queries of your device(s) to CERN's Domain Names Servers;
  • Network communication data gathered at CERN's outer perimeter firewall as well as at several internal network boundaries. This data includes
    • "NetFlow" data containing connection meta data, i.e. source and destination IP addresses as well as port numbers, connection duration and total payload size);
    • the entire payload of unencrypted web traffic, i.e. URLs, name of the referrer, and web server/host name;
    • full captures (so-called "pcap" files) of network traffic deemed suspicious by our network-based intrusion detection systems;
  • Information about signing in and out using the CERN Single Sign-On portal, or using SSH or RDP connections into CERN's interactive computing clusters, including source and destination IP addresses and domain names;
  • Data generated by your activities within a user session instantiated on CERN's interactive computing clusters (e.g. ADM/BATCH/PLUS/SWAN), i.e.
    • Any command(s) and parameter(s) typed or executed within the context of your user session(s);
    • All network meta-data related with your session;
  • Data generated by your activities when accessing web pages hosted on CERN's computing facilities, i.e. URLs, referrer, web server/host name.

In addition, in order to proactively detect any malicious attempts to misuse your account(s), device(s) and data and any misconfiguration or vulnerabilities thereof, the CERN Computer Security Team in collaboration with the corresponding service providers perform automatic security scans of:

  • your e-mails and e-mail attachments received from or sent to the outside of the Organization (the so-called "SPAM" filtering);
  • your device(s) connected to CERN's wired or wireless networks for identification of weaknesses and vulnerabilities (using e.g. "nmap" or OpenVAS);
  • centrally managed Windows PC(s) using centralized anti-virus software;
  • your files stored on CERN's central file storage systems (e.g. using the centralized anti-virus software) or custom tools for detecing misconfigurations.

Finally, within its mandate defined by the CERN Computing Rules, the Computer Security Team has the authority to request any other Log Data stored with CERN's computing facilities for resolving computer security incidents or violations of those CERN Computing Rules.

Information Security and Retention

Log Data is stored using the computing facilities provided by CERN's IT department. CERN makes best efforts to protect this Log Data from unauthorized access, or alteration, disclosure or destruction (also see CERN's Digital Privacy Statement). Past experience has shown that a retention period of one year is sufficient to perform the analysis of security related events in retrospect, but this is subject to periodical reviews. Log Data linked with any abuse of CERN's computing facilities as well as any other violation of the CERN Computing Rules is kept indefinitely.

Information Access, Sharing and Disclosure

As stipulated in the CERN Computing Rules, access to Log Data is limited to members of the CERN Computer Security Team, i.e. a limited number of individuals appointed ad-personam by CERN's Computer Security Officer, and only authorized when suspicious activity or activity potentially violating CERN's Computing Rules related with your activity, account(s) or device(s) has been detected by or reported to the Team. In those cases, the Team may preserve or disclose your information only if deemed by CERN to be necessary for legal purposes; to protect the safety of any person; to address fraud, security or technical issues; or to protect CERN's rights or property. In particular, the Team reserves the right to disclose (parts of) your data promptly to third parties in order to avert any further harm to you, your account(s), your device(s) or your data.

Revisions

This Privacy Statement may be periodically revised. Prior versions of the Privacy Statement will be archived and kept available.