Computer Security: confidentiality is everybody’s business
Recently, a zip file with confidential information was mistakenly made public on one of CERN’s websites. Although the file was only intended for members of an internal committee, when placing it onto the CERN website, someone made a mistake when setting the access permissions and, thus, made the file accessible to everyone visiting the site!
Unfortunately, this is but one example of such mistakes. We have seen other documents made accessible to a much wider audience than originally intended…
CERN takes serious measures to ensure the confidentiality of data. Confidential or “sensitive” documents (following the nomenclature set out in the CERN Data Protection Policy) deserve professional handling and access protections given only to the people who really need to access them. As such, they must not be widely circulated as attachments in e-mails and, most definitely, must not be stored on random public websites for the sole purpose of sharing them. Instead, these documents should reside in their original storage location (like AFS, Alfresco, CDS, DFS, EDMS, INDICO, Sharepoint) and the corresponding access controls should be adapted so that all people who need access are granted it and everyone else’s access is blocked.
The level of protection is clearly marked in EDMS (“Public access”, “Restricted access”) and INDICO (“public”, “restricted” or edit the event and check the “Protection” tab). For AFS and DFS, instructions for properly protecting files can be found here and here, respectively.
Confidentiality is everybody’s business! Think twice before passing on sensitive documents. Act professionally and use your judgment. Keep the document in its original place and just share its link or location.
Alternatively, use CERNbox, which even allows you to share documents with people who don't have a CERN computing account. However, still remember to configure the access protections as restrictively as possible. Remember, members of the personnel are accountable for maintaining the confidentiality of the data entrusted to them. Any breach of that trust may lead to administrative or even disciplinary action.
For further information, questions or help, check our website or contact us at Computer.Security@cern.ch.
Do you want to learn more about computer security incidents and issues at CERN? Follow our Monthly Report.
Access the entire collection of Computer Security articles here.
by Stefan Lueders, Computer Security Team