IT data security, classification, and incident response policies

Over the summer former Interim President Coltrane enacted three emergency IT policies. The administration is now looking to make them permanent, and is asking for feedback. My own initial reaction, as someone that Coltrane’s administration tried to fire over the UO Presidential Archives release (and he did fire two others) is that these policies need to say a lot more about the rights of students, staff and faculty to use IT without excessive fear of reprisals, and about the UO’s obligations w.r.t. public records law, transparency, and academic freedom.

But the King explained it long ago: “Here we go again. We’re caught in a trap. We can’t build our dreams on suspicious minds. And you can’t hear the tears I’m crying”:

Comments welcome, you can expect these policies to receive careful review by the Senate, as well as the SEIU and faculty unions.

Info Security Policyhere. One snippet:

“Monitor the University networks to identify malicious activity”

Malicious. That word covers a lot of territory, including some that is protected by the US Constitution, etc.

Data Classification Policy, here:

  • Internal (moderate level of sensitivity)
    Access to “Internal” data must be requested from, and authorized by, the Data Trustee or Steward who is responsible for the data.  Data may be accessed by persons as part of their job responsibilities. The integrity of this data is of primary importance, and the confidentiality of this data must be protected. Examples of Internal data include purchasing data, financial transactions (that do not include sensitive data), and information covered by non-disclosure agreements.

Data Security Response Policy, here. The meat is in the procedures, which are only on the IT site, here:

Screen Shot 2015-10-21 at 8.39.23 PM

Sounds reasonable, but what would prevent some interim president from going rogue and trying to fire a professor, and firing a few librarians, over a self-described “unlawful release” of presidential archives?

Date: January 20, 2015 at 7:39:38 PM PST
From: “President’s Office” <[email protected]> Reply-To: [email protected]
Subject: Archive release investigation

Dear Colleagues,

We have recently learned that a significant number of archived records from the President’s Office have been unlawfully released. These records contain confidential information about faculty, staff and students, but our current understanding is that no social security numbers, financial information or medical records were shared.

We have launched an investigation of the incident, and we have put staff members on administrative leave, pending that investigation. The information was sent to a university professor, and we have already requested that the professor return the information and refrain from any public release of confidential information. To our knowledge, only one record has been shared externally at this point.

We are committed to taking steps to mitigate the potential injury associated with this situation.


Scott Coltrane, Interim President

While we’re on that topic, do these policies follow ALA rules on the privacy of library circulation records?

Tagged , , . Bookmark the permalink.

10 Responses to IT data security, classification, and incident response policies

  1. Hippo says:

    This is an honest question: How precisely did Coltrane try to fire you, and what prevented it?

    • uomatters says:

      Part of the deal was that I wouldn’t talk about the deal, but it was about the Presidential Archives and a ZIP drive.

      • Hippo says:

        The question wasn’t “about what” Coltrane tried to fire you, but rather “how”, i.e. on what grounds? Does the deal prevent you from saying on what basis they argued they could dismiss you? Does it prevent you from saying what part of my contract I should look closely at? I am a tenured faculty member.

        • uomatters says:

          I was told I could “lose my tenure and job” because I had “unlawfully obtained” the UO Presidential Archives.

          Should you ever find yourself in a similar situation, or even just be told that you are facing potential discipline, I hope you are in the UAUO bargaining unit. (Most all faculty except Law, PIs, and department heads). Give the union office a call. They are extremely knowledgable and helpful.

          • Hippo says:

            OK, so I infer that they said you broke the law, and that is cause to lose tenure and job. So, the administration can *assert* that a faculty member has broken the law — without an indictment from any jurisdiction, trial, or conviction — and on that basis, take away tenure? I think I knew that criminal behavior could result in loss of tenure, but I did not know that the mere assertion of a criminal act could have the same result. Is that really true?

          • One tactic says:

            the administration was toying with was firing Harbaugh with the intention of settling/losing the inevitable lawsuit, because it was worth paying out a fair amount of cash just to get rid of him. Having a union in place made this more difficult, because United Academics could potentially also fight for reinstatement. Another factor was that he was willing to return the documents, so here we are.

          • just different says:

            Wow. If anyone had any remaining doubts about the UO administration being manipulative, self-serving sleazeballs, this story should utterly dispel them.

            • uomatters says:

              That’s not my view, I think they’re reaching out to the faculty this time, and I see no reasons to think they won’t work with us to come up with good permanent policies.

          • Dog says:

            I remain skeptical on this “reaching out to faculty”

            a) I am sure they want to present the appearance of reaching out to faculty …

            b) there are large lingering trust issues

            c) do “they” even know how to reach out to faculty or what they are reaching for?

            d) how will us “faculty” know we are being reached out to?

            e) the ultimate goal of reach out should be to improve our academic programs (by instituting much better interdisciplinary and team teaching models through cross cutting courses) through better partnerships and different (more sensible) funding models.
            Hell we still can’t reform gen ed …. at any sensible scale.

            f) I would personally like the “them” (the Admin) acknowledge that its 2015 and objectively compare our academic and research infrastructure with respect to other (peer) institutions in the context that it is 2015 and not 1950 …

            g) how the admin treats the Harbaugh profile seems trivial compared to the rest of these concernes

  2. New Year Cat says:

    It would be nice if they also reached out to the staff. Has the incredible abuse of power represented by the manager who had his employee’s email account copied to him so he could read and reply to ALL her emails (while being investigated for harrassment of said employee) already been forgotten? I heard HR said that was fine with them (even though it was forbidden the SEIU contract). Trust is definitely broken for some of us and that little caper does nothing to reassure about the intention of data “security” policies.