Educause Security Discussion mailing list archives
Data capture protection for security staff
From: "Young, Beth A." <youngba () MORE NET>
Date: Tue, 9 Sep 2008 14:20:25 -0500
Hello, I am looking for example statements that people have used for permission to do packet captures or other traffic/computer analysis that may involved confidential information whether that statement is a blanket policy statement warning every user that there is no expectation of privacy or statements included in job descriptions. Reading articles like this one in Wired: http://blog.wired.com/27bstroke6/2008/05/isp-content-f-1.html and attending SANS classes which have a disclaimer about getting permission before doing any kind of data capture, I am looking for what other organizations are doing to protect their employees from civil or criminal lawsuits. For example: Employee A gets fired (or reprimanded) for inappropriate web surfing at work. Employee A decided that the security department employees, the ones that did the packet captures at the request of HR has violated the Wiretap act and takes them to civil court. Ohm (from the Wired article linked above) seems to think that any system administrator could be in trouble for doing their job, even if directed by their boss to install a monitoring device. Our situation at MOREnet gets even more complicated because we are a statenet. We occasionally receive packet captures, log files or other information/data from MOREnet member sites - meaning that we, as an organization are not doing any capturing of data, but receiving captured data. We are concerned that we are opening ourselves up to civil or criminal liability because we do not know if the member site has an acceptable use policy that covers capturing of data. Another example: We are asked to look at a packet capture to help troubleshoot a network slowness problem. While sifting that data, we find what we suspect to be inappropriate traffic. We point it out to the site security contact and a person gets fired. That person then goes on to sue the school for wrongful termination and says that the packet captures were illegal and breaking wiretap law, what liability do we have? The site security person would not have found the traffic without our help (mainly because most sites do not have advanced technical knowledge) so are we dragged into their legal battle as the finders of the bad traffic? What kind of policies or job descriptions would you want to protect yourself? Thanks, Beth Beth Young, CISSP MOREnet Security 1-800-509-6673 http://www.more.net/security
Current thread:
- Data capture protection for security staff Young, Beth A. (Sep 09)
- <Possible follow-ups>
- Re: Data capture protection for security staff Bob Kalal (Sep 09)
- Re: Data capture protection for security staff Martin Manjak (Sep 09)
- Re: Data capture protection for security staff Basgen, Brian (Sep 09)
- Re: Data capture protection for security staff Cal Frye (Sep 10)