Educause Security Discussion mailing list archives
Re: Drafting a confidentiality statement for student employees
From: Bob Mahoney <bobmah () MIT EDU>
Date: Mon, 26 Jul 2004 14:30:37 -0400
At 1:31 PM -0400 7/26/04, James Moore wrote:
I am in the early drafting stages of student employment confidentiality agreements. Anyone want to share with me their confidentiality agreements?
Jim- I believe a more formal agreement is in the works, but in the past, MIT asked that team members acknowledge and abide by the following "Statement on Confidentiality". (This was typically an email exchange, not a signed paper). The statement applied to staff, students, and volunteers alike. Feel free to steal any words or concepts that amuse you, please forgive any rough edges (I'm solely to blame for this one, and it is somewhat fluffy and open. This text was usually accompanied by a stern lecture, with finger-waving and tales of the apocalyptic consequences of misusing the trust we had placed in them. (The text was shared with our legal staff, but I'm not sure their lack of change requests should be taken as approval... :-) -Bob --- Confidentiality Team members are frequently exposed to very sensitive data. Examples include user passwords, information relating to criminal investigations, and security-related corporate information. Inappropriate disclosure of this information can compromise user security, derail criminal cases, or expose an outside corporate entity to serious financial harm. Civil or criminal liability could conceivably accrue to MIT. It is ESSENTIAL that team members treat the information they are privy to with serious care. Proper care of such information is a REQUIREMENT for participation in this work. Information from the team mailing list, or specific cases, are not to be shared with outside parties without permission. To be very clear, this means friends, co-workers, supervisors, other security teams, and even law enforcement agencies. Decisions to pass information to outside parties will be made by the team leader, in cooperation with the network manager. If you believe there is information that should be passed outside the team, bring the issue to the attention of the team leader, or in the case of emergencies off-hours, the network operations on-call contact. There are standing exceptions, please use good judgement in such instances: 1) If an imminent threat to life, safety, or physical property becomes evident, it should always be treated as expeditiously as possible. If the team leader or network manager can't be reached immediately, it is appropriate to take steps, typically by notifying campus police. In a case such as this, it is expected that information has been sent to the team list, and that attempts have been made to page the team leader and network manager. 2) You may always use other contacts you may be aware of to reach the owner of a compromised machine. This is typically via friends and associates of the system owner. Please make other team members aware when you use such paths. Take care to avoid disclosure of unnecessary information not pertinent to reaching the appropriate contact 3) It is encouraged that team members pass local vulnerability information to the appropriate *local* contacts. Such disclosures should be as closely targeted as possible. An example would be a new vulnerability that affects critical MIT servers, where such notification should be made *securely* to the team or teams responsible for these services. In all cases, disclosure should be made carefully and securely, with an appreciation of any possible negative effects from such disclosure. While we have been fortunate to avoid serious problems relating to inappropriate disclosures, it is a real danger we face. Team members are expected to be mindful of the seriousness of our work, and the potential harm facing individuals or businesses through careless action on our part. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Drafting a confidentiality statement for student employees James Moore (Jul 26)
- <Possible follow-ups>
- Re: Drafting a confidentiality statement for student employees Christopher E. Cramer (Jul 26)
- Re: Drafting a confidentiality statement for student employees Bob Mahoney (Jul 26)