Re: Campus verses university hospital ACUP investigation authority

[Tim Howard <Timothy_G_Howard () RAYTHEON COM>]

Hi David,
It is common for both the government and corporations to take the view
that any bits created using their information resources belong to them,
especially if it is in the course of assigned work duties.  Typically,
users are warned with a banner statement, to which they agree when they
accept the banner and login.  You can included language in your acceptable
use policy and/or Rules of Behavior to this effect, and make users aware
that their expectation of privacy, which is where the issue usually ends
up, is really not valid.  I am not aware of any legal rulings in this area
to support the assertion of bit ownership, but that is the practice I have
seen while working as a contractor supporting both corporate and
government entities.

I recommend reviewing the policies created for the U.S. Antarctic Program,
which can be reviewed at http://www.usap.gov/technology/ under the
Information Security link.  The acceptable use policy is general and
instructs the program participants to review the Rules of Behavior
(separate document on the same web page).  The ROB include a specific
statement about expectations of privacy and NSF ownership of the
information.  The policy and rules were developed based on current
thinking in the academic community (I helped the government with their
development).

You might also take a look at hospital leaders like Johns Hopkins to see
what they are doing, and of course SANS is a must-read for this sort of
activity.

If you need more in-depth assistance, you can contact me offline at
tghoward () sprintmail com. (I am moving to a new job next week, and my
Raytheon email will no longer work)

Cheers,
Tim




Raytheon
Tim Howard
Information Security Manager
Raytheon Information Solutions
301.943.4732 cell;      timothy_g_howard () raytheon com



David Grisham <DGrisham () SALUD UNM EDU>
01/31/2006 03:30 PM
Please respond to
The EDUCAUSE Security Discussion Group Listserv
<SECURITY () LISTSERV EDUCAUSE EDU>


To
SECURITY () LISTSERV EDUCAUSE EDU
cc

Subject
[SECURITY] Campus verses university hospital ACUP investigation authority






We are revising our procedures for searching email, hard drives and
Internet traffic.  We feel that anything on our systems is "work product"
and owned by the hospital and can be searched accordingly for
investigative and work-related needs.

We previously had a combination of the campus ACUP that restricted
managers from searching for investigative purposes and the issue that our
managers are advocates for the hospital.  As such will investigate for
disciplinary action.
Does anyone have a similar policy in place?


Cheers. -grish
David D. Grisham, Ph.D., CISM, CHS, CHSP
Manager, IT Security, UNM Hospitals, Information Technology