LISTSERV 16.0 - MSUNAG Archives

On Wed, 30 Mar 2005, Bosman, Don wrote:

> After those who have to keep the machines running, citing the AUP as the
> reason of course, refuse to work on those machines they don't have
> permission to look at. Maybe systems people need "HIPPA" forms from every
> patient?

This part is easy:  IT personnel shouldn't be looking at systems they "don't
have permission to look at" anyway.  It's not their job, regardless of the
SAU.

As for the provision quoted in an earlier message (based on section III.2,
but also with reference to other sections such as IV.4.1) actually makes
having a policy for every system advisable.  It just can't be set at the
whim of the IP staff;  it has to go through channels and be publicized to
users (a HIPPA-type form would be a good idea in many cases).  A local
policy also cannot override the main MSU SAU or negatively affect policies
for other external resources (a prime example would be that one may be
restricted by technical means from reading one's private mail.msu.edu
E-mail from a given PC or workstation during work hours, but nobody can make
one give one's private mail.msu.edu password to someone else so _they_ can
read one's private mail.msu.edu E-mail -- the former would be a stupid-but-
legal policy, the latter would be a stupider-and-grounds-for-University-
action-at-least policy).

> If the AUP were to be interpreted to mean one can't look at system event
> logs then every request for repair or help will have to result in a wipe
> and reload. Just like the standard last result of most manufacturer help
> desks. Common sense has to come in to the picture somewhere.

The usual Acceptable Use guideline for logs is that one should not simply
browse through them for no apparent reason (the usual catch phrase being
"no fishing expeditions).  If there is some externally-derived reason to
be suspicious, that triggers one part of the SAU (V.1 et seq.) which would
allow investigation of those logs reasonably expected to have a bearing on
the problem.  If a system's owner and users say it's OK (or necessary)
to investigate a problem with the system, that constitutes permission,
which triggers another part of the SAU allowing investigation of the
logs.  Most practical instances are covered by one or the other of these
cases, and uninvited snooping for no explicit reason is disallowed, and
overall, that's not a bad thing.

The only grey area instance would be "preventative maintenance" types of log
checks, which are probably best done with some sort of "robotic" assistance
(e.g., a software package which compares log entries and such to known
problem patterns) instead of just reading all entries indiscriminately
anyway.  This may or may not be technically against the current SAU,
depending on the details of the package used.  The proposed SAU is not
finished, but from current reports to the NCC, it has at least some
provision for making this type of checking legal.

Besides the SAU, there is a set of 'guidelines' in the works clarifying the
conditions under which the Vice Provost's office would grant permission
semi-automatically and therefore would no longer need to be explicitly asked
to do so unless some affected person explicitly objects;  the network
component of these guidelines is expected to come out by this summer, and
NCC has asked that a version covering "server-resident" issues which are not
explicitly tied to the network, but are affected by the network SAU, also be
considered.  These would list categories of or methodology for system log
checks and similar "preventative maintenance" actions which would be
considered to have minimal impact on user privacy, and thus not violate the
intent of the privacy provisions in the SAU.

>
> Does the AUP committee have any techs, who have to live with the
> restrictions of the AUP, on it?

Since Michael Seadle of the Library is one of the NCC's representatives
on the subcommittee working up recommendations for the new SAU,  he might
be someone closer to you whom you could ask for more details, but yes, there
are definitely technical people both from ACNS and from departments and
other administrative units involved (Health Team's Linda Losik, who has been
part of this discussion thread, among them).

>
> Don Bosman
> Information Technologist
> Michigan State University, Libraries
> 100 Library
> East Lansing, MI 48824
> 517-432-6123  ex 233
> [log in to unmask]
> [...]

The idea of having this discussion at a meeting is a good one.

The next MSU NAG meeting is tentatively scheduled for the afternoon of
Friday, April 22nd (start time flexible in the range of 1:15 to 3 pm).
If this is really undoable for some of the people who have been suggested
as speakers/discussion leaders, please contact me (not the whole list) and
perhaps I can find another calendar slot.  I'll read through the thread
again in a couple of days and see who's willing, who's not, and who can't,
and then make an announcement.
--
                                George

-------------------------------------------------------------------------
George J Perkins                  http://www.pa.msu.edu/people/perkins/
1209B BPS Bldg, MSU               Phone: 517-355-9200 ext 2567
East Lansing, MI  48824-2320        FAX: 517-353-4500