Differences

This shows you the differences between two versions of the page.

Link to this comparison view

en:cc_charte_de_bon_usage_des_ressources_du_centre_de_calcul [2016/12/16 10:16] (current)
Line 1: Line 1:
 +Last modified: Nov 28, 2016 by Rouet\\
 +\\
 +
 +====== CC: charter of good practice of the Computing Center'​s resources ======
 +
 +\\
 +\\
 +
 +====== Chapitre 1 : Charter of good practice of the IN2P3 and DAPNIA Computing Center’s resources ======
 +
 +=====  Preamble ​ =====
 +
 +The computing information systems and equipments of the Computing Center made availables to IN2P3 and DAPNIA staff are dedicated to scientific research. Most of this hardware is connected to a local network and through it to the Internet. Any user of this hardware thus belongs to a vast community which implies on his part the respect for certain safety and good behavior rules. Imprudence, negligence or malicious intent by a user can have serious consequences for the community.\\
 +\\
 +This charter lays out the rights and obligations of each person and represents a mutual commitment between the user and all the laboratory'​s staff. It is presumed to be known by all and is an integral part of the Computing Center'​s company rules.
 +=====  The different players ​ =====
 +
 +From an information system point of view, a distinction must be made between three categories of players:
 +  * The users: the whole of people using the information systems made available to them.
 +  * The system, network administrators and IS security correspondents,​ technically responsible for the operation of the IS tools.
 +  * the functional managers: laboratory management, group or unit managers, teachers supervising the students for activities calling on IS resources.
 +
 +Each category has rights and obligations which are identical in spirit but different in their application.
 +=====  The rights of all  =====
 +
 +Each person has a right to:
 +  * The information relating to the common resources and services offered by the laboratory and the IN2P3.
 +  * The information allowing that person to best use the resources made available to them.
 +  * The information on the security of the system being used.
 +
 +=====  The obligations of each person ​ =====
 +
 +  * Each person has the obligation to respect the security rules applicable to the system being used. These rules consist of this charter illustrated by regularly updated appendices, as well as possible specific rules in connection with a particular work environment;​ these rules are available to each user via the functional manager or system administrator.
 +  * Each person must respect intellectual and commercial property rights in compliance with current legislation.
 +  * Each person must agree to refrain from obtaining knowledge of information belonging to others without their approval, from communicating to any third party such information or any non-public information to which that person may have had access but for which that person does not hold proprietary rights.
 +  * Each person must clearly identify himself, no one may use another person'​s identity or act anonymously. Each person must notify any intrusion attempt on their account.
 +  * No one may assign their rights to another. Access authorizations to IS resources are strictly personal and may not be assigned, either temporarily or definitively,​ to any person whatover (associate, friends, family members included) whatever trust may be held by that person.
 +  * Each person must try to achieve their goal using the least costly means in terms of common resources (disk space, printouts, workstation occupancy, remote server occupancy etc.).
 +  * Each person must contribute to improve the operation and the security of the IS tools in compliance with security rules and advice and by immediately notifying the managers of any observed anomaly, by sensitizing associates to the problems of which that person has knowledge. The installation of software which can jeopardize the security of IS resources is prohibited.
 +  * Each person must limit their use of the hardware made available to them to strictly professional use and comply with the functions assigned to them which excludes use for personal or commercial purposes.
 +  * No person can change any equipment either in terms of hardware or system software nor connect a computer to the local network without the express approval of the system and/or network administrator.
 +  * No loss or indemnity may be claimed pursuant to the alteration, destruction or loss of confidentiality of the processing of non-professional information by the system administrators in the fulfillment of their professional functions if such processing was implemented on a laboratory IS resource by a user at his own risk.
 +  * No one can connect equipment which is not the property of the laboratory on the local network without the approval of the system administrators who have the authority to require the means to administer it without restriction. This charter shall apply to said equipment and its owner shall become a user thereof under this charter.
 +
 +=====  Specific rights and obligations of system and network administrators ​ =====
 +
 +The administrator has technically extensive powers over many systems. As a result, the administrator'​s obligations are important, in particular that of not abusing of his powers. The system administrator is responsible for the security of the computers and/or the network under his care. The IS security correspondent belongs implicitly to this category. ​
 +====  All system and network adminisrator has the right: ​ ====
 +
 +  * To be informed of the legal implications of his work, in particular as regards the risks run should a user of the system under his responsibility commit an objectionable action.
 +  * To access, on the systems he administers,​ private information for system diagnostics and administration purposes, scrupulously respecting the confidentiality of this information refraining unless otherwise required from altering them.
 +  * To establish surveillance procedures for all the tasks performed on the machine to detect breaches or attempted breaches of this charter, under the authority of his functional supervisor and in association with the IS security correspondent.
 +  * To take conservatory measures if required by an emergency without prejudice to sanctions resulting from breaches to this charter which are the responsibility of the functional managers.
 +
 +
 +====  All system and network adminisrator has the obligation: ​ ====
 +
 +  * To inform the users on the extent of his technical powers pursuant to his position.
 +  * To inform the users of and sensitize them to information security problems inherent to the system, to inform them of the security rules to be followed, assisted in this by the IS security correspondent.
 +  * To follow the general network access rules defined for the local network, and beyond that IN2P3, Renater and the Internet in general.
 +  * To follow confidentiality rules by limiting access to confidential information to what is strictly necessary and by respecting professional secrecy in this regard.
 +  * To follow, if he is a user of the system, the rules required by him of other users.
 +  * To configure and administer the system with a view to improved security in the interest of the users.
 +  * To inform the IS security manager of IN2P3 of the implementation of exceptional surveillance or investigation procedures.
 +  * To immediately inform his functional supervisor and the IN2P3 IS security manager of any intrusion attempt (successful or failed) on its system or of any dangerous user behavior.
 +  * To cooperate with the security correspondents of the outside networks in the event of a security incident involving a machine administered by him.
 +
 +=====  Specific rights and obligations of functional managers ​ =====
 +
 +
 +====  The functional managers of information systems have the right: ​ ====
 +
 +  * To temporarily or definitively prohibit access to information resources by any user who fails to comply with this charter.
 +  * To refer serious faults resulting from the failure to comply with this charter to the supervisors which may lead to disciplinary or criminal procedures.
 +
 +
 +====  The functional managers of information systems have the obligation: ​ ====
 +
 +  * To inform all the players of, to disseminate this charter by any appropriate means.
 +  * To appoint an IS security correspondent.
 +  * To communicate the name of the system administrators of all the machines placed under their authority to the laboratory IS security correspondent.
 +  * To support the system administrators and IS security correspondent with their authority in their work in applying this charter.
 +
 +=====  Sanctions incurred in the event of non-compliance ​ =====
 +
 +Any failure to comply with the rules laid out in this charter may lead to two types of sanctions:
 +  * **Disciplinary sanctions:​** the functional managers have full authority to take the necessary conservatory measures in the event of non-compliance with this charter and to prohibit the defaulting users from accessing the IS resources and the network. These defaulting users may be referred to the competent disciplinary committee.
 +  * **Civil and/or criminal sanctions:​** the evolution of electronic techniques and information technology has led the legislator to define sanctions in keeping with the risks to individual liberties and law arising from the uncontrolled use of IS files and processing.
 +
 +This charter, as integral part of the company rules of the IN2P3 Computing Center, has been communicated to all the laboratory'​s staff and applies to each member of that staff. ​
 +====== Annexe A : Informative list of violations likely to be committed on the network ======
 +
 +(These list does not pretend to be exhaustive)
 +=====  Violations provided for by the new french criminal code  =====
 +
 +
 +====  Crimes and offences against individuals ​ ====
 +
 +  * Personal infringement.
 +  * Invasion of privacy.
 +  * Infringement of personal representation.
 +  * False accusation.
 +  * Infringement of professional secrecy.
 +  * Violation of individual rights resulting from IS files or processing.
 +  * Infringement of the rights of minors (notably broadcasting of pornographic messages when they are likely to be seen by a minor or broadcasting,​ acquisition or receiving and concealing images of a paedophile nature or activity of the same nature).
 +
 +
 +====  Crimes and offences against goods  ====
 +
 +  * Fraud.
 +  * Violation of automated data processing systems, such as fraudulent access to or maintenance of an automated data processing system, likely to hinder or alter its operation and fraudulently enter data.
 +
 +=====  Press violations (act of 29 July 1881, amended) ​ =====
 +
 +  * Incitement to crime and offence.
 +  * Apologies for crimes against humanity.
 +  * Apologies for and incitement to terrorism.
 +  * Incitement to racial hatred.
 +  * Revisionism (contesting crimes against humanity).
 +  * Libel.
 +  * Slander.
 +
 +=====  Infringement of intellectual property rights ​ =====
 +
 +  * Counterfeiting intellectual work (including software).
 +  * Counterfeiting a drawing or model.
 +  * Fraudulent imitation of a trademark.
 +
 +=====  Infringement of encryption rules  =====
 +
 +=====  Participation in running a gambling house  =====
 +
 +
 +====== Annexe B : Practical advice and rules for good behavior ======
 +
 +(version of 11 janvier 1999)\\
 +\\
 +This list is in no way exhaustive but is simply a statement of good common computer sense.
 +=====  What should not be done:  =====
 +
 +  * Using simplistic passwords, writing them so that they are easily legible by all (under the keyboard) or communicating them to third parties (even to help).
 +  * Leaving your workstation temporarily without locking the sessions, leaving it for a long time without closing the sessions: the user's liability will be incurred in the event of a problem caused by this negligence.
 +  * Sending an e-mail, a message using the identity or signature of a third party (even for fun): this is a serious offence which can have disciplinary even criminal consequences.
 +  * Considering that what is technically possible is automatically authorized: this charter defines the rules, notably as regards the strictly professional use and purpose of the laboratory'​s information system resources.
 +
 +=====  What should be done:  =====
 +
 +  * Respect intellectual and commercial property: each person must ensure that his/her work tool does not contain illegal copies of software, his liability being involved even if he is not the author of such illegal copies (see "​Rocard"​ circular).
 +  * To choose good passwords, change them regularly, use existing tools and methods intended to improve the security of data and connections.
 +  * To be aware of one's responsibility with respect to the reliability and security of the common work tool (machines and network) and act consequently.
 +
 +
  
  • en/cc_charte_de_bon_usage_des_ressources_du_centre_de_calcul.txt
  • Last modified: 2016/12/16 10:16
  • (external edit)