CERN Computing Rules:
The Use of CERN Computing Facilities

In accordance with the CERN Cybersecurity Policy established by the Director General, cybersecurity at CERN is governed by CERN's Operational Circular #5 (OC5), i.e. the CERN Computing Rules, under the auspices of the CERN Computer Security Officer.

The Computing Rules and the Cybersecurity Policy imply that each person using or contributing to CERN's computing facilities (e.g. its network, CERN-Owned Devices, on-site or cloud-based computing services) shall actively contribute to the implementation of these Rules through exemplary conduct. This includes the following behaviour:

• compliance with these Rules including its Subsidiary Rules;
• actively seeking information to minimise risks;
• avoiding dangerous situations for their equipment and CERN's computing facilities; and
• exercising the responsibilities assigned to them.

As such, and unless delegated when using central services, any owner of computing resources connected to or provided to them by CERN's computing facilities are ultimately responsible for the compliance of their actions and their resources with these Rules.

Subsidiary Rules

Based on the Operational Circular #5 (OC5) and the Cybersecurity Policy, and following a Defence-in-Depth approach, a set of dedicated "Subsidiary Rules" provide managerial and technical rules on how to use CERN's Computing Facilities in a secure fashion. As OC5 and the Cybersecurity Policy, these Subsidiary Rules are binding (see OC5 II 8a). Any derogation from these Rules requires written approval by the CSO, and might enter the CERN/IT Risk Register. Non-compliance with any of these Rules might lead to sanctions, e.g. reduced functionality (limited connectivity, e.g. "throttling"), the termination of service ("blocking"), or administrative measures as defined in Section V of OC5.

Subsidiary Rules, newly created or to be updated, are discussed and approved (or rejected) in the Computer Security Board comprised of appointed Computer Security Liaisons as representatives from CERN sectors/departments/units and experiments. In the event of ambiguity between the English version and the French version of the Subsidiary Rules, the English version shall prevail.

CERN Computing Rules

• Operational Circular Nº5
• Aims of OC5
• Cybersecurity Policy
• Mandate of the CSO
• Departmental & Experiment Liaisons
• Computer Security Board

OC5 Subsidiary Rules

• Data Protection & Privacy
• Endpoints
• Identities, Authentication & Authorization
• IT Service Operations
• Networking
• Software Development & Configuration
• Software Restrictions

Security Principles

• ...for Containers
• ...for (Server) Operating Systems
• ...for Software Developments
• ...for Web Applications
• Security Baselines (deprecated)

Other Useful Information

• Glossary
• CERN Cloud Licence Office
• CERN Data Governance
• CERN Office of Data Privacy Protection
• CERN Software Licence Office