ITCC / IT Retreat Data Access Procedure December 10, 2009 Karl F. Lutzen Information Security Officer
Summary of UM System AUP Changes Electronic information is subject to examination, including (but not limited) to: –It is necessary to maintain or improve the functioning of University computing resources; –There is a suspicion of misconduct under University policies, or suspicion of violation of Federal or State laws; –It is necessary to comply with or verify compliance with Federal or State law including e- discovery procedures; or –If it will serve a legitimate business need of the University.
Reasons AUP needed changes mostly due to –E-discovery requirements –Situations where information is required for mission continuity – ensuring that mission of the University and department are met
Process Required for Item 4 All campuses must have a defined process with minimums: –All requests must be documented and retained –Request must be approved by a minimum set of approvers: If the request affects a faculty member, an approval by a faculty representative. An approval by one of the following University administrators at the Chancellor, Vice Chancellor, Provost or Vice Provost level as follows: »Students including student employees – Student Affairs »Staff – Administrative Services or Human Resources »Faculty – approval from the Chancellor or Provost or designee Approval by the business unit Chief Information Officer (CIO) or designee
Preservation of Data There is a clause for preservation of electronically stored information. –A general officer or their direct reports in advance of an access request approval may authorize data retention
S&T Process We have defined a process that includes these as well as additionally: –Requires keywords for searches (we do not give direct access to the account) –Areas must be defined as to where we search –Perform legal checks prior to search: Grievance Pending litigation: –UM Legal –Student Affairs
S&T Process (cont) Searches are to be conducted by Information Security only. Records are filed with the campus Information Security Officer Information Security Personnel may NOT be one of the authorized signatures if CIO is not available. Another suitable delegate must be identified prior to search
IT Process - Preservation Work in progress Currently: –Any such request must be identified as in the request form –Data is secured, not analyzed, and if access request does not appear in a reasonable time, data copy will be destroyed. –Time needs better definition. Currently held no more than 12 months.
Statistics In addition, all campuses must annually disclose statistics on faculty accounts being accessed. Action Items: –When should this report occur? –Who to send it to? –Format?
Faculty Representative Need to identify: –Campus faculty representative –Alternate/Delegate for all signers when primary representative is unavailable Must be kept current –Need to determine online documentation (IT will work on this and report back)
Subsequent Searches Currently, it is Information Security’s view that any additional keywords requires a new request be filed and approved prior to the new search. Reason: Could be a “fishing” expedition. This needs more discussion (breakout session)
Learning Management Data Issue: –Instructor unavailable to teach current semester –Data does reside in Blackboard (or other official LMS IT has access to). What process for providing course data to ensure mission continuity? Should it be the same as regular request or is this published data different?
Breakout Session Annual faculty data access report: –When? To Whom? What Format? Faculty representative: –Identify primary representative and delegate(s). Subsequent searches: –New request form or other? Data Preservation time: –How long? <=12 months in current draft Learning Management Data –What process for access?