Guidelines and rules

• IT Security Manager: Tobias van Valkenhoef
• The System Managers: Reiner Dirksmeyer, Tobias van Valkenhoef, Gert-Jan de Bresser

• The managing director is responsible for all matters of the MPI, including the IT security. The managing director delegates responsibility to the head of the Technical Group Reiner Dirksmeyer who delegates responsibility to Tobias van Valkenhoef who is the IT Security Manager of the MPI. 
• The IT Security Manager defines the rules for IT Security and computer usage in synchronisation with the managing director, the RFC, and System Management. The rules should represent the state-of-the-art in research institutions and find a balance between felixibility of the researchers on one hand, and security against severe attacks on the other hand. 
• The System Managers of the MPI are bound to implement the defined rules. The users of all IT facilities at the MPI are bound to adhere to the rules. Those not contractually affiliated will be asked to accept these rules. 

• Every employee of the MPI can request a personal computer, a network connection, an account giving access to all internal computing and networking facilities, and access to software that is needed to carry out the research. Request forms for various things can be found on the MaxIntra Intranet. 
• Every employee who is collecting relevant digital material is requested to archive this material in the online archive and to provide proper metadata with it. 
• Every researcher who is publishing a paper is requested to preserve its context - most probably by storing it in the archive. 

• The usage of the root passwords of all computing and network facilities at the MPI is restricted to the authorised persons within the TG. This rule can only be bypassed for exceptions defined by the IT Security Manager. 
• For experimental computers it may be necessary to give the experimenters full control. These computers are treated like guest computers. The support for error handling will be limited. 
• For all software used at the MPI, licenses have to be acquired where necessary. No one is allowed to install and use protected software without license. No one is allowed to store copyrighted multimedia contents on the MPI's computer facilities. 
• No one except the TG is allowed to change the internal hardware setup of a computer. 
• The users are not allowed to install any software on the computing facilities that can harm their functioning. The infection by computer viruses, spyware, and other intrusion software has to be indicated to the TG immediately once recognised. 
• Computers that were not installed by TG members, that cannot be checked due to other scripting systems than English, German and Dutch, and where the TG members do not have the root passwords may not be connected to the MPI-internal network. They can be connected to the external network reserved for guests. 
• The users are not allowed to setup private web servers on MPI computers. The web manager of the MPI is responsible for all webpages that are provided to the outside world, i.e., new content has to be signaled to the web manager. 
• When an employee's contract finishes, his/her account will be erased. The data will not be available anymore when the backup copy is recycled. An explicit request is necessary to extend the account for a limited transition period. Accounts for people not contractually affiliated with the MPI can only be created or prolonged with the consent of the directors. 
• Data will be backed-up according to the following strategy: Server disks (e.g., user home drives) are backed up every night. A history of three months is guaranteed. Local disks of PCs, MACs, and LINUX workstations are NOT backed up. 
• Resources that were integrated into the archive will be stored in several copies, two of which are maintained at the MPI. 
• Staff members are responsible for the correct attitude of the Student Assistants and have to inform them about these rules. 
• All incoming and outgoing ports will be closed at the firewall, except those that are explicitly kept open. Requests for opening additional ports have to be submitted to the Security Manager. 
• Software that requires using MPI account specifications, such as passwords, has to support the encryption of the passwords. 
• Foreign and private notebooks are in general not allowed to be hooked up to the MPI domain. Exceptions can be made on special request. At all levels in the MPI, notebooks can be connected to the network for guests. 
• Software that is not in agreement with MPI policies may not be used on MPI computers. 
• For any projects involving personal data, the data protection laws have to be taken seriously. In case of questions, please contact the security liaison of the institute (Reiner Dirksmeyer). 

The following Code of Conduct serves as a guideline for what is accepted and what is not. 

• No one at the institute except the webmaster is allowed to install and run a public webserver. 
• All accepted personal webpages have to be connected to the institute's webpage by the webmaster, i.e., you can inform the webmaster about the link to be established. 
• The personal homepage of members of the scientific staff should primarily contain descriptions of their scientific or science-related career, i.e., it can include typical items such as a curriculum vitae, recent publications, projects where they participated, earlier engagements, etc. 
• The personal homepage of non-scientific members of the institute should primarily contain descriptions of their science-related work. 
• The personal page may give an overview of the general topics you are currently working on, but it may not contain detailed project descriptions, experimental plans, unrevised preprints, more than the abstracts of published papers, etc. 
• The personal homepage could give a limited amount of insight into your personality (hobbies etc.), although this is seen as exceptional. 
• The personal homepage may not include statements about sexual, racial, and other topics which are not related to the work at the institute, or which fall under existing laws. It may also not include contents which are in conflict with the data protection law. 
• The personal pages should not contain recommendations for commercial products.
• To prevent misunderstandings, it should be the exception to include links to other websites in your personal pages, especially if they are not references to other scientific institutes. 
• The personal pages have to include a disclaimer and the name of the author, preferably at the top. 

• The TG supports the Presentations experimental package. 
• Lab Managers are responsible for the experimental rooms.
• The experiment group within the TG is responsible for developing and maintaining experimental setups.
• The liaison person manages the time planning for the experimental rooms. Use the webforms on MaxIntra to request experiment time. 
• Access is given to the persons mentioned on the request form by the reception. Only these persons will receive the key codes. 

• The IT facilities of the MPI can be used for private activities of its employees if they are not commercial, if they do not hurt ethical principles and laws, and if they do not interfere with the employee's work commitments. 
• The MPI declares that it will not guarantee that its computer networks are 100% safe and will not take over responsibilities that may rise from a misuse of its computers. Using MPI facilities for home banking, for example, is at the risk of the user. 
• The MPI will also not take responsibility for erroneous research results that may result from malfunctioning computers. It is the researcher's responsibility to check the results for correctness. Once errors are indicated on computers controlled by the TG, it is its task to remove the source of errors if possible.