Re: Data capture protection for security staff

["Basgen, Brian" <bbasgen () PIMA EDU>]

Hi Beth,

 I think there are two parts to addressing this. The first is in a
notice to your end-users, ensuring they are aware of the practice.  As
others have stated, we also manage our privacy statement through our
Acceptable Use policy, for example:

"4. Privacy & Monitoring
All College-owned property and the work, correspondence, data and other
material therein, whether stored electronically, on paper, or in any
other form, are subject to review for legitimate business reasons.
Portions of the IT infrastructure include automatic and manual
monitoring and recording systems that are used for reasons that include,
but are not limited to, security, performance, backup, and
troubleshooting. The College reserves the right at any time to monitor
and access any data, including the contents of any College computer or
College communications, for any legitimate business reason."
http://www.pima.edu/admin/it/documents/Acceptable-Use.pdf

 The second issue is regarding how your staff perform these activities.
These need to run the gamut from a high level institutional policy to
procedures that detail how your staff handles these issues. For example,
we have a high-level policy on "IT related Investigations", and then
procedures documentation on CALEA, the Federal Wiretapping Act, and on
more generic incident response. I can send you any or all of those if
you'd like. In court, it is important to have documented and approved
policy and procedures, otherwise they can create all kinds of arguments.


 Finally, IANAL, but I would recommend against an approach that rests
too heavily on packet data. There are a lot of reasons why this is
problematic for cultural reasons, legislative reasons, trial reasons,
etc. Generally, when an employee is doing something illegal, there is
going to be more than just wire data. Perhaps files on the local
computer, perhaps behaviors that could be observable, etc. In other
words, packet data should be just the first piece of evidence: enough to
warrant an investigation perhaps.

~~~~~~~~~~~~~~~~~~
Brian Basgen
Information Security
Pima Community College




> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Young, Beth A.
> Sent: Tuesday, September 09, 2008 12:20 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] Data capture protection for security staff
>
> Hello,
>
> I am looking for example statements that people have used for
> permission
> to do packet captures or other traffic/computer analysis that may
> involved confidential information whether that statement is a blanket
> policy statement warning every user that there is no expectation of
> privacy or statements included in job descriptions.
>
> Reading articles like this one in Wired:
> http://blog.wired.com/27bstroke6/2008/05/isp-content-f-1.html and
> attending SANS classes which have a disclaimer about getting
permission
> before doing any kind of data capture, I am looking for what other
> organizations are doing to protect their employees from civil or
> criminal lawsuits.  For example: Employee A gets fired (or
reprimanded)
> for inappropriate web surfing at work.  Employee A decided that the
> security department employees, the ones that did the packet captures
at
> the request of HR has violated the Wiretap act and takes them to civil
> court.  Ohm (from the Wired article linked above) seems to think that
> any system administrator could be in trouble for doing their job, even
> if directed by their boss to install a monitoring device.
>
> Our situation at MOREnet gets even more complicated because we are a
> statenet.  We occasionally receive packet captures, log files or other
> information/data from MOREnet member sites - meaning that we, as an
> organization are not doing any capturing of data, but receiving
> captured
> data.   We are concerned that we are opening ourselves up to civil or
> criminal liability because we do not know if the member site has an
> acceptable use policy that covers capturing of data.  Another example:
> We are asked to look at a packet capture to help troubleshoot a
network
> slowness problem.  While sifting that data, we find what we suspect to
> be inappropriate traffic.  We point it out to the site security
contact
> and a person gets fired.  That person then goes on to sue the school
> for
> wrongful termination and says that the packet captures were illegal
and
> breaking wiretap law, what liability do we have?  The site security
> person would not have found the traffic without our help (mainly
> because
> most sites do not have advanced technical knowledge) so are we dragged
> into their legal battle as the finders of the bad traffic?  What kind
> of
> policies or job descriptions would you want to protect yourself?
>
> Thanks,
> Beth
>
>
> Beth Young, CISSP
> MOREnet Security
> 1-800-509-6673
> http://www.more.net/security