Re: Sniffer notification

[Carol Myers <carol.myers () DOMAIL MARICOPA EDU>]

Maricopa Community College's standards state:

<snip>It is not Maricopa's practice to monitor the content of electronic
mail transmissions, files, or other data maintained in its computing
resources. The maintenance, operation and security of Maricopa's
computing resources, however, require that network administrators and
other authorized personnel have access to those resources and, on
occasion, review the content of data and communications maintained
there. A review may be performed exclusively by persons expressly
authorized for such purpose and only for cause. To the extent possible
in the electronic environment and in a public setting, a user's privacy
will be honored. Nevertheless, that privacy is subject to Arizona's
public records laws and other applicable state and federal laws, as well
as policies of Maricopa's Governing Board all of which may supersede a
user's interests in maintaining privacy in information contained in
Maricopa's computing resources.</snip>

http://www.dist.maricopa.edu/legal/dp/inbrief/compstandards.htm


Tracy Mitrano wrote:

> Just curious on this thread about a related question:
>
>         How many schools have IT policies that state something to the
> effect of:
>
>         "[Name of Institution] does not as a practice monitor its
> network for content"
>
> Please note that such a statement does not prevent whatever technical
> measures are necessary for security and maintenance, as is explained by
> additional policy language.
>
> Thanks!
>
> Tracy
>
>
>
>
> At 10:55 AM 3/23/2004 -0500, Richard Gadsden wrote:
>
> > On Tue, 23 Mar 2004, Cal Frye wrote:
> >
> > > We're about to diagnose some networking issues here with rather
> > > aggressive use of Sniffer on student ports. We've always considered this
> > > to be pretty intrusive, and not to be done without notifying the users
> > > involved that we would be listening in. But we don't have written
> > > policies concerning this action, beyond the general statement that we
> > > (1) respect users privacy but (2) reserve the right to sniff should the
> > > need strike us.
> > >
> > > Anyone have a quick link to policies and notification documents to be
> > > sent to the user that I might have a look at and/or steal outright? I
> > > worry that there's something I might overlook in the process.
> >
> > If you're not sure that the existing "general statement" in your policy
> > authorizes the diagnostic activity that you have in mind, then your first
> > stop should be your university counsel's office. That should be part of
> > your standard procedure for anything potentially invasive that's outside
> > the scope of routine operations.
> >
> > If your legal counsel advises that you are authorized to proceed based on
> > your existing policy, then you might, in terms of notification, simply let
> > the affected users know about the coming diagnostic activity, and
> > reference the policy that authorizes it.
> >
> > For example, were I in your shoes, I'd probably be referring the affected
> > users to the "Privacy and Confidentiality" section of our school's
> > computer use policy:
> >
> >  <http://www.musc.edu/ccit/cup/cup2001.html>
> >
> >  --- o ---
> >  Richard Gadsden
> >  Director of Computer and Network Security
> >  Medical University of South Carolina
> >
> > **********
> > Participation and subscription information for this EDUCAUSE
> > Discussion Group discussion list can be found at
> > http://www.educause.edu/cg/.
>
> ********** Participation and subscription information for this EDUCAUSE
> Discussion Group discussion list can be found at
> http://www.educause.edu/cg/.

--

Carol Myers
Director, ITS Security Services
Information Technologies Services
Maricopa Community Colleges               http://www.maricopa.edu/security
480.731.8903

"Reminds me of my safari in Africa. Somebody forgot the corkscrew and
for several days we had to live on nothing but food and water."
                                               --W.C. Fields

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.