Re: Drafting a confidentiality statement for student employees

[Bob Mahoney <bobmah () MIT EDU>]

At 1:31 PM -0400 7/26/04, James Moore wrote:
> I am in the early drafting stages of student employment confidentiality
> agreements.  Anyone want to share with me their confidentiality
> agreements?

Jim-

I believe a more formal agreement is in the works, but in the past,
MIT asked that team members acknowledge and abide by the following
"Statement on Confidentiality".  (This was typically an email
exchange, not a signed paper).  The statement applied to staff,
students, and volunteers alike.

Feel free to steal any words or concepts that amuse you, please
forgive any rough edges (I'm solely to blame for this one, and it is
somewhat fluffy and open.  This text was usually accompanied by a
stern lecture, with finger-waving and tales of the apocalyptic
consequences of misusing the trust we had placed in them.  (The text
was shared with our legal staff, but I'm not sure their lack of
change requests should be taken as approval...  :-)

-Bob

---

Confidentiality

Team members are frequently exposed to very sensitive data.  Examples
include user passwords, information relating to criminal
investigations, and security-related corporate information.
Inappropriate disclosure of this information can compromise user
security, derail criminal cases, or expose an outside corporate
entity to serious financial harm.  Civil or criminal liability could
conceivably accrue to MIT.

It is ESSENTIAL that team members treat the information they are
privy to with serious care.  Proper care of such information is a
REQUIREMENT for participation in this work.

Information from the team mailing list, or specific cases, are not to
be shared with outside parties without permission.  To be very clear,
this means friends, co-workers, supervisors, other security teams,
and even law enforcement agencies.

Decisions to pass information to outside parties will be made by the
team leader, in cooperation with the network manager.  If you believe
there is information that should be passed outside the team, bring
the issue to the attention of the team leader, or in the case of
emergencies off-hours, the network operations on-call contact.

There are standing exceptions, please use good judgement in such instances:

1) If an imminent threat to life, safety, or physical property
becomes evident, it should always be treated as expeditiously as
possible.  If the team leader or network manager can't be reached
immediately, it is appropriate to take steps, typically by notifying
campus police.  In a case such as this, it is expected that
information has been sent to the team list, and that attempts have
been made to page the team leader and network manager.

2) You may always use other contacts you may be aware of to reach the
owner of a compromised machine.  This is typically via friends and
associates of the system owner.  Please make other team members aware
when you use such paths.  Take care to avoid disclosure of
unnecessary information not pertinent to reaching the appropriate
contact

3) It is encouraged that team members pass local vulnerability
information to the appropriate *local* contacts.  Such disclosures
should be as closely targeted as possible.  An example would be a new
vulnerability that affects critical MIT servers, where such
notification should be made *securely* to the team or teams
responsible for these services.

In all cases, disclosure should be made carefully and securely, with
an appreciation of any possible negative effects from such disclosure.

While we have been fortunate to avoid serious problems relating to
inappropriate disclosures, it is a real danger we face.  Team members
are expected to be mindful of the seriousness of our work, and the
potential harm facing individuals or businesses through careless
action on our part.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.