IT Policy Office

• IT Policy Home
• Policies
• Programs
• Articles
• Issues

DRAFT

OIT/CIT Fair Information Practices for Network Flow Logs and Content Data Transmitted or Stored on OIT/CIT Computers and Network Systems

Introduction to OIT/CIT Fair Information Practices

OIT/CIT practices for network flow logs and content information respect the confidentiality, availability and security of information about individuals transmitted and or stored on CIT computers and network systems. This explanation balances these values against the efficiency and effectiveness of the necessary technical management. In accordance with those practices, it is established that administrative heads are the stewards of their data. For example, the Vice President of Human Resources is the steward of all employee data; the Vice President for Student Affairs and Academic Services is the steward of all student data; and the Vice President for Information Technologies is the steward for all system logs and network flow data. Anyone who possesses or has access to university administrative data, electronic or otherwise, is a custodian of that data. OIT/CIT staff that manage computers and network systems upon which such data is transmitted or stored become the custodians of that data. Custodial responsibilities attach to that role, such as confidentiality of material irrespective of technical abilities to discern content and non-disclosure to unauthorized individuals. This document specifies those practices.

General Principles

Should any individual either outside of or within the University community contact you and request data over which you are the custodian, please ask them to obtain the permission of the Vice President who is the steward of that data and to make the request through the policy advisor, security officer or vice president of the Office of Information Technologies unless the data used and requested is in the normal and valid exercise of technical or security management. Please note that if the individual represents himself or herself as a law enforcement officer, they must make that request through either the Policy Advisor or the Director of Security of the Office of Information Technologies. In both cases, if the individuals who occupy those offices are not available, they should contact the Vice President of Information Technologies. Please note the emergency exception for network operations center in the case of immediate danger to life and limb illustrated in Practice Specifics example 3(d).

Practice Specifics

1. You may not access, alter, or disclose protected university data without appropriate authorization and only as required to fulfill your assigned university duties.
1. Example: Accessing and altering yours’ or your wife’s pay scale in human resources data.
2. Example: Accessing and altering your son’s grade from a C to an A in organic chemistry.
3. Example: Accessing your ex-partner’s mail files to see if they reveal information about whom she is currently dating.
4. Example: A network administrator asks for network flow log information in order to remedy a computer compromise in their subnet. You may access and supply that data so long as it is relevant only to the specific security matter.
5. Example: University counsel’s office pursuant to a subpoena asks for the mail files of a member of the university community residing on a CIT server. You may access and supply that data specific to the request.
6. Example: A human resources supervisor requests that you access and supply the mail files of an employee under his purview for a sexual harassment investigation. You may NOT provide that information unless it is made through the policy officer, security officer or vice president of information technologies who has the express permission of the Vice President of Human Resources.
7. Example: In your role as network administrator in the usual course of business you observe the content of an e-mail message that suggests the chairman of a department is having an extra-marital affair. You may NOT disclose that information to anyone.
8. Example: A professor requests the mail files of student about whom they have concerns of psychological stability. You may NOT disclose that information unless it is made through the policy officer, security officer or vice-president of information technologies who has the express permission of the Vice-President of Student Affairs and Academic Services.
9. Example: CU police requests the mail files of a student about whom they are conducting a criminal investigation. You may NOT disclose that information without proper authorization processed through OIT/CIT policy, security or vice president’s office and university counsel.
2. You may not resolve conversational detail in telephone or network billing or flow logs such as telephone numbers or Internet protocol addresses unless authorized to do so.
1. Example: The University’s designated agent for DMCA notices requests the resolution of an IP address of a network operations center staff in order to process a copyright infringement notice. You may resolve the IP address to user name.
2. Example: In your role as administrative assistant who processes telephone records you notice that an employee for whom you do billing calls a certain number in California frequently. You may NOT use a reverse look-up program to resolve that phone number to a user name. If legitimate concern exists consult either the employee or the OIT/CIT director of human resources.
3. Example: In your role as administrative assistant who processes network billing you notice that there is one destination IP address that accounts for an inordinate amount of network charges on your supervisor’s bill. You may NOT resolve that IP address to a web site. If legitimate concern exists, for example that the source IP address/computer may have been compromised, consult either the individual user, the OIT/CIT director of security if it is a question of security, or in general the OIT/CIT director of human resources.
4. Example: CU police contact the network operations center and they request the resolution of an IP address to user name based on a bomb threat or suicide note that they received via e-mail. In the case of immediate danger to life and limb emergency you may resolve the IP address for CU police, so long as you report the incident to the NOC manager and either OIT/CIT policy or security. They will make any other necessary follow up communications, for example to the Vice President of Student Affairs and Academic Services, legal counsel or external law enforcement authorities.

Questions?

Any questions about this document or its practices may be addressed to the Policy Advisor at it-policies@cornell.edu or at 254-3584.