Educause Security Discussion mailing list archives
Re: Data capture protection for security staff
From: "Basgen, Brian" <bbasgen () PIMA EDU>
Date: Tue, 9 Sep 2008 14:12:22 -0700
Hi Beth, I think there are two parts to addressing this. The first is in a notice to your end-users, ensuring they are aware of the practice. As others have stated, we also manage our privacy statement through our Acceptable Use policy, for example: "4. Privacy & Monitoring All College-owned property and the work, correspondence, data and other material therein, whether stored electronically, on paper, or in any other form, are subject to review for legitimate business reasons. Portions of the IT infrastructure include automatic and manual monitoring and recording systems that are used for reasons that include, but are not limited to, security, performance, backup, and troubleshooting. The College reserves the right at any time to monitor and access any data, including the contents of any College computer or College communications, for any legitimate business reason." http://www.pima.edu/admin/it/documents/Acceptable-Use.pdf The second issue is regarding how your staff perform these activities. These need to run the gamut from a high level institutional policy to procedures that detail how your staff handles these issues. For example, we have a high-level policy on "IT related Investigations", and then procedures documentation on CALEA, the Federal Wiretapping Act, and on more generic incident response. I can send you any or all of those if you'd like. In court, it is important to have documented and approved policy and procedures, otherwise they can create all kinds of arguments. Finally, IANAL, but I would recommend against an approach that rests too heavily on packet data. There are a lot of reasons why this is problematic for cultural reasons, legislative reasons, trial reasons, etc. Generally, when an employee is doing something illegal, there is going to be more than just wire data. Perhaps files on the local computer, perhaps behaviors that could be observable, etc. In other words, packet data should be just the first piece of evidence: enough to warrant an investigation perhaps. ~~~~~~~~~~~~~~~~~~ Brian Basgen Information Security Pima Community College
-----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Young, Beth A. Sent: Tuesday, September 09, 2008 12:20 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Data capture protection for security staff Hello, I am looking for example statements that people have used for permission to do packet captures or other traffic/computer analysis that may involved confidential information whether that statement is a blanket policy statement warning every user that there is no expectation of privacy or statements included in job descriptions. Reading articles like this one in Wired: http://blog.wired.com/27bstroke6/2008/05/isp-content-f-1.html and attending SANS classes which have a disclaimer about getting
permission
before doing any kind of data capture, I am looking for what other organizations are doing to protect their employees from civil or criminal lawsuits. For example: Employee A gets fired (or
reprimanded)
for inappropriate web surfing at work. Employee A decided that the security department employees, the ones that did the packet captures
at
the request of HR has violated the Wiretap act and takes them to civil court. Ohm (from the Wired article linked above) seems to think that any system administrator could be in trouble for doing their job, even if directed by their boss to install a monitoring device. Our situation at MOREnet gets even more complicated because we are a statenet. We occasionally receive packet captures, log files or other information/data from MOREnet member sites - meaning that we, as an organization are not doing any capturing of data, but receiving captured data. We are concerned that we are opening ourselves up to civil or criminal liability because we do not know if the member site has an acceptable use policy that covers capturing of data. Another example: We are asked to look at a packet capture to help troubleshoot a
network
slowness problem. While sifting that data, we find what we suspect to be inappropriate traffic. We point it out to the site security
contact
and a person gets fired. That person then goes on to sue the school for wrongful termination and says that the packet captures were illegal
and
breaking wiretap law, what liability do we have? The site security person would not have found the traffic without our help (mainly because most sites do not have advanced technical knowledge) so are we dragged into their legal battle as the finders of the bad traffic? What kind of policies or job descriptions would you want to protect yourself? Thanks, Beth Beth Young, CISSP MOREnet Security 1-800-509-6673 http://www.more.net/security
Current thread:
- Data capture protection for security staff Young, Beth A. (Sep 09)
- <Possible follow-ups>
- Re: Data capture protection for security staff Bob Kalal (Sep 09)
- Re: Data capture protection for security staff Martin Manjak (Sep 09)
- Re: Data capture protection for security staff Basgen, Brian (Sep 09)
- Re: Data capture protection for security staff Cal Frye (Sep 10)