With the 2023 cybersecurity audit and the subsequent approval by CERN's Extended Directorate of the new Cybersecurity Policy, which parallels, complements and clarifies the CERN Computing Rules aka Operational Circular 5 (OC5), the foundations have been laid to review, augment and produce new Subsidiary Rules to better explain "what goes and what does not" with regards to CERN's computing facilities and the computing resources they serve. Let's look at the full package and how it impacts you.
For one, the Computing Rules and the Cybersecurity Policy require that anyone using or contributing to CERN's computing facilities (e.g. its network, CERN-owned devices, on-site or cloud-based computing services) actively contribute to the implementation of the Rules and Policy through exemplary conduct - namely by:
- acting in compliance with the Rules, including the Subsidiary Rules;
- actively seeking information to minimise risks;
- avoiding dangerous situations for their equipment and CERN's computing facilities; and
- assuming the responsibilities assigned to them.
As such, and unless responsibility is delegated when using central services, all owners of computing resources connected to or provided to them by CERN's computing facilities are ultimately responsible for the compliance of their actions and their resources with these Rules.
For two, in order to help all users of CERN's computing facilities to better fulfil their responsibilities and to better understand "what goes and what does not", the aforementioned set of dedicated "Subsidiary Rules" provide managerial and technical guidance on how to use CERN's computing facilities in a secure fashion. Like OC5 and the Cybersecurity Policy, these Subsidiary Rules are binding (see OC5 II 8a). Any derogation from these Rules requires written approval by CERN's Computer Security Officer and may be entered in the CERN/IT Risk Register. Non-compliance with any of these Rules might lead to sanctions, e.g. reduced functionality (limited connectivity, e.g. "throttling"), the termination of service ("blocking") or administrative measures (see OC5 V).
Subsidiary Rules, whether newly created or to be updated, are discussed and approved (or rejected) in the just-established Computer Security Board, comprised of appointed Computer Security Liaisons as representatives of CERN sectors/departments/units and the experiments. In the next couple of months, this Board will review all the current Subsidiary Rules and, in order to complement the implementation of the cybersecurity audit's recommendations, create additional Rules.
Computer security revised - but in the end, however, there shouldn't be any surprises for you: the same rules as always (OC5 dates back to the year 2000!) apply to you and your use of CERN's computing facilities. Now they are just clearer, more concrete and more explicit. A big thank you to you all for helping to secure and protect CERN!