IT data security, classification, and incident response policies

Over the summer former Interim President Coltrane enacted three emergency IT policies. The administration is now looking to make them permanent, and is asking for feedback. My own initial reaction, as someone that Coltrane’s administration tried to fire over the UO Presidential Archives release (and he did fire two others) is that these policies need to say a lot more about the rights of students, staff and faculty to use IT without excessive fear of reprisals, and about the UO’s obligations w.r.t. public records law, transparency, and academic freedom.

But the King explained it long ago: “Here we go again. We’re caught in a trap. We can’t build our dreams on suspicious minds. And you can’t hear the tears I’m crying”:

Comments welcome, you can expect these policies to receive careful review by the Senate, as well as the SEIU and faculty unions.

Info Security Policyhere. One snippet:

“Monitor the University networks to identify malicious activity”

Malicious. That word covers a lot of territory, including some that is protected by the US Constitution, etc.

Data Classification Policy, here:

  • Internal (moderate level of sensitivity)
    Access to “Internal” data must be requested from, and authorized by, the Data Trustee or Steward who is responsible for the data.  Data may be accessed by persons as part of their job responsibilities. The integrity of this data is of primary importance, and the confidentiality of this data must be protected. Examples of Internal data include purchasing data, financial transactions (that do not include sensitive data), and information covered by non-disclosure agreements.

Data Security Response Policy, here. The meat is in the procedures, which are only on the IT site, here:

Screen Shot 2015-10-21 at 8.39.23 PM

Sounds reasonable, but what would prevent some interim president from going rogue and trying to fire a professor, and firing a few librarians, over a self-described “unlawful release” of presidential archives?

Date: January 20, 2015 at 7:39:38 PM PST
From: “President’s Office” <pres@uoregon.edu> Reply-To: pres@uoregon.edu
Subject: Archive release investigation

Dear Colleagues,

We have recently learned that a significant number of archived records from the President’s Office have been unlawfully released. These records contain confidential information about faculty, staff and students, but our current understanding is that no social security numbers, financial information or medical records were shared.

We have launched an investigation of the incident, and we have put staff members on administrative leave, pending that investigation. The information was sent to a university professor, and we have already requested that the professor return the information and refrain from any public release of confidential information. To our knowledge, only one record has been shared externally at this point.

We are committed to taking steps to mitigate the potential injury associated with this situation.

Sincerely,

Scott Coltrane, Interim President

While we’re on that topic, do these policies follow ALA rules on the privacy of library circulation records?

Bowl of Dicks trial reveals UOPD’s casual spying on employees

10/8/2015: This is from the trial transcripts, which I’m slowly getting through:

Screen Shot 2015-10-08 at 7.29.18 PM

8/4/2015: UO administrator accessed employee email account without notice

Here’s the description of recent events, from an anonymous correspondent:

Administrators Are Permitted to Monitor Emails without Notice or Authorization

Consider the following scenario: Alice,* a staff member with a disability, has been ordered by her doctors to utilize her federally protected leave in order to recover from symptoms emerging from a potentially hostile work environment. Alice has been in contact with the Union, who are investigating the climate at her department for possible discrimination.

While Alice is away in recovery, Bob,* her supervisor and a department administrator, somehow acquires full access to all of Alice’s emails. Bob does not notify Alice that he intends to access her information, nor does he seek authorization from Information Security, General Counsel, or the Union. Rather, Bob simply unilaterally seizes full, unsupervised, and ongoing access to the entirety of Alice’s email account, including her correspondences with the Union.

Such an obvious conflict of interest and invasion of privacy would seem ludicrous if it wasn’t for the fact that it recently occurred at the University of Oregon.

As soon as this data breach came to light, the Union contacted UO’s Chief of Information Security Officer (CISO) to clarify what exactly the criteria were for an administrator gaining access to an employee’s email. The CISO responded that the UO does not offer “wholesale access to another employee’s email.” There would have to be a “specific request” driven by a “business need” and submitted through the proper channels. If such criteria are met, then Information Security will attempt to provide the specific information, and only that information, which was requested. The CISO continued, “The only time we would give over all email would be in the case of a subpoena or other legal request.”

Under such criteria, Bob had obviously violated university policy by accessing and monitoring all of Alice’s emails during her absence from the office. The Union reported the data breach immediately, in conformity with the newly minted executive policy on Data Security Incidence Response.

A few weeks later, the Union inquired with the Director of Employee & Labor Relations (DLR) at Human Resources to inquire after the progress of the investigation. What a difference a few weeks can make! The DLR responded that there had been no violation of policy, because UO in fact has no policy at all restricting administrator access to an employee’s email.

The Union reached out again to the CISO to clarify. The CISO responded that he believed that the situation was handled poorly, and that he did not believe that Bob was “philosophically” justified in accessing Alice’s data. Unfortunately, he admitted, there are no “specific policies” in place at UO at present to prevent, discourage, or reprimand an administrator who unilaterally decides that they have a “business need” to access and monitor an employee’s personal data without their prior knowledge or consent.

The CISO seemed as disturbed by this state of affairs as the Union, noting that it “raises a need for a procedure to be put in place regarding access to an employee’s email account” and that he “intend(s) to write up a procedure for situations like this” which will “hopefully alleviate situations like this in the future by providing a standard process.”

The Union applauds the CISO’s pledge to put policies in place that will provide the necessary checks and balances to reign in administrators who feel justified in violating their employee’s privacy at will.

The response at HR has been less encouraging however. As of this writing, the DLR has chosen to fully back management in this matter. Amazingly, rather than stand up for the rights of one of the most vulnerable members of the UO community in a case of discrimination, harassment, and gross invasion of privacy, HR has chosen instead to escalate the harassment by pursuing disciplinary action against Alice on behalf of Bob.

And as of this writing, Bob still retains full access to Alice’s email.

So, until the new policies are in place, be careful what you write and who you write it to.

* All names have been changed.

It’s more than two years since I started the thread below, trying to find out UO’s policy for email monitoring and access. Page down for the entire history. Obviously there are situations when supervisors need access to an employee’s email, e.g. a public records request or a court order, an emergency illness or death, etc. On the other hand there are situations where that access would be very problematic, e.g. like that above, or when an employee has a complaint about the supervisor, or has used UO email to contact a doctor or counselor or lawyer, etc. So most universities have a sensible policy along the lines of UC’s, here:

An electronic communications holder’s consent shall be obtained by the
University prior to any access for the purpose of examination or disclosure of the
contents of University electronic communications records in the holder’s
possession, except as provided for below. …

1. Authorization. Except in emergency circumstances (as defined in Appendix
A, Definitions) in accordance with Section IV.B.2, Emergency
Circumstances, or except for subpoenas or search warrants in accordance with
Section IV.B.6, Search Warrants and Subpoenas, such actions must be
authorized in advance and in writing by the responsible campus Vice
Chancellor or, for the Office of the President, the Senior Vice President,
Business and Finance (see Section II.D, Responsibilities).1
This authority may not be further redelegated. Authorization shall be limited to the least perusal of contents and the least action necessary to resolve the situation.  …

3. Notification. The responsible authority or designee shall at the earliest
opportunity that is lawful and consistent with other University policy notify
the affected individual of the action(s) taken and the reasons for the action(s)
taken.

Each campus will issue in a manner consistent with law an annual report
summarizing instances of authorized or emergency nonconsensual access
pursuant to the provisions of this Section IV.B, Access Without Consent,
without revealing personally identifiable data.

UO’s policy is here. It’s not as cogent, but it also seems to ban the sort of blanket access that is described above. And UO IT also passes on the following helpful advice, here:

  • Never share your password with anyone.  This includes your supervisor, co-workers, and IT staff.
  • There may be some destinations (such as China, Russia, and other areas overseas) where it may be difficult or impossible to prevent your computer from being attacked and electronically compromised.

China and Russia indeed.

8/2/2013: UO has no policies limiting which administrators can read your email or monitor your web use, or why. From Dave Hubin’s PRO:

Continue reading