Educause Security Discussion mailing list archives

Data capture protection for security staff

From: "Young, Beth A." <youngba () MORE NET>
Date: Tue, 9 Sep 2008 14:20:25 -0500

Hello,

I am looking for example statements that people have used for permission
to do packet captures or other traffic/computer analysis that may
involved confidential information whether that statement is a blanket
policy statement warning every user that there is no expectation of
privacy or statements included in job descriptions.

Reading articles like this one in Wired:
http://blog.wired.com/27bstroke6/2008/05/isp-content-f-1.html and
attending SANS classes which have a disclaimer about getting permission
before doing any kind of data capture, I am looking for what other
organizations are doing to protect their employees from civil or
criminal lawsuits.  For example: Employee A gets fired (or reprimanded)
for inappropriate web surfing at work.  Employee A decided that the
security department employees, the ones that did the packet captures at
the request of HR has violated the Wiretap act and takes them to civil
court.  Ohm (from the Wired article linked above) seems to think that
any system administrator could be in trouble for doing their job, even
if directed by their boss to install a monitoring device.

Our situation at MOREnet gets even more complicated because we are a
statenet.  We occasionally receive packet captures, log files or other
information/data from MOREnet member sites - meaning that we, as an
organization are not doing any capturing of data, but receiving captured
data.   We are concerned that we are opening ourselves up to civil or
criminal liability because we do not know if the member site has an
acceptable use policy that covers capturing of data.  Another example:
We are asked to look at a packet capture to help troubleshoot a network
slowness problem.  While sifting that data, we find what we suspect to
be inappropriate traffic.  We point it out to the site security contact
and a person gets fired.  That person then goes on to sue the school for
wrongful termination and says that the packet captures were illegal and
breaking wiretap law, what liability do we have?  The site security
person would not have found the traffic without our help (mainly because
most sites do not have advanced technical knowledge) so are we dragged
into their legal battle as the finders of the bad traffic?  What kind of
policies or job descriptions would you want to protect yourself?

Thanks,
Beth


Beth Young, CISSP
MOREnet Security
1-800-509-6673
http://www.more.net/security

Current thread:

Data capture protection for security staff Young, Beth A. (Sep 09)
- <Possible follow-ups>
- Re: Data capture protection for security staff Bob Kalal (Sep 09)
- Re: Data capture protection for security staff Martin Manjak (Sep 09)
- Re: Data capture protection for security staff Basgen, Brian (Sep 09)
- Re: Data capture protection for security staff Cal Frye (Sep 10)