Educause Security Discussion mailing list archives
Re: Campus verses university hospital ACUP investigation authority
From: Tim Howard <Timothy_G_Howard () RAYTHEON COM>
Date: Tue, 31 Jan 2006 17:53:21 -0500
Hi David, It is common for both the government and corporations to take the view that any bits created using their information resources belong to them, especially if it is in the course of assigned work duties. Typically, users are warned with a banner statement, to which they agree when they accept the banner and login. You can included language in your acceptable use policy and/or Rules of Behavior to this effect, and make users aware that their expectation of privacy, which is where the issue usually ends up, is really not valid. I am not aware of any legal rulings in this area to support the assertion of bit ownership, but that is the practice I have seen while working as a contractor supporting both corporate and government entities. I recommend reviewing the policies created for the U.S. Antarctic Program, which can be reviewed at http://www.usap.gov/technology/ under the Information Security link. The acceptable use policy is general and instructs the program participants to review the Rules of Behavior (separate document on the same web page). The ROB include a specific statement about expectations of privacy and NSF ownership of the information. The policy and rules were developed based on current thinking in the academic community (I helped the government with their development). You might also take a look at hospital leaders like Johns Hopkins to see what they are doing, and of course SANS is a must-read for this sort of activity. If you need more in-depth assistance, you can contact me offline at tghoward () sprintmail com. (I am moving to a new job next week, and my Raytheon email will no longer work) Cheers, Tim Raytheon Tim Howard Information Security Manager Raytheon Information Solutions 301.943.4732 cell; timothy_g_howard () raytheon com David Grisham <DGrisham () SALUD UNM EDU> 01/31/2006 03:30 PM Please respond to The EDUCAUSE Security Discussion Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> To SECURITY () LISTSERV EDUCAUSE EDU cc Subject [SECURITY] Campus verses university hospital ACUP investigation authority We are revising our procedures for searching email, hard drives and Internet traffic. We feel that anything on our systems is "work product" and owned by the hospital and can be searched accordingly for investigative and work-related needs. We previously had a combination of the campus ACUP that restricted managers from searching for investigative purposes and the issue that our managers are advocates for the hospital. As such will investigate for disciplinary action. Does anyone have a similar policy in place? Cheers. -grish David D. Grisham, Ph.D., CISM, CHS, CHSP Manager, IT Security, UNM Hospitals, Information Technology
Current thread:
- Campus verses university hospital ACUP investigation authority David Grisham (Jan 31)
- <Possible follow-ups>
- Re: Campus verses university hospital ACUP investigation authority Tim Howard (Jan 31)