On Wed, 30 Mar 2005, Bosman, Don wrote: > After those who have to keep the machines running, citing the AUP as the > reason of course, refuse to work on those machines they don't have > permission to look at. Maybe systems people need "HIPPA" forms from every > patient? This part is easy: IT personnel shouldn't be looking at systems they "don't have permission to look at" anyway. It's not their job, regardless of the SAU. As for the provision quoted in an earlier message (based on section III.2, but also with reference to other sections such as IV.4.1) actually makes having a policy for every system advisable. It just can't be set at the whim of the IP staff; it has to go through channels and be publicized to users (a HIPPA-type form would be a good idea in many cases). A local policy also cannot override the main MSU SAU or negatively affect policies for other external resources (a prime example would be that one may be restricted by technical means from reading one's private mail.msu.edu E-mail from a given PC or workstation during work hours, but nobody can make one give one's private mail.msu.edu password to someone else so _they_ can read one's private mail.msu.edu E-mail -- the former would be a stupid-but- legal policy, the latter would be a stupider-and-grounds-for-University- action-at-least policy). > If the AUP were to be interpreted to mean one can't look at system event > logs then every request for repair or help will have to result in a wipe > and reload. Just like the standard last result of most manufacturer help > desks. Common sense has to come in to the picture somewhere. The usual Acceptable Use guideline for logs is that one should not simply browse through them for no apparent reason (the usual catch phrase being "no fishing expeditions). If there is some externally-derived reason to be suspicious, that triggers one part of the SAU (V.1 et seq.) which would allow investigation of those logs reasonably expected to have a bearing on the problem. If a system's owner and users say it's OK (or necessary) to investigate a problem with the system, that constitutes permission, which triggers another part of the SAU allowing investigation of the logs. Most practical instances are covered by one or the other of these cases, and uninvited snooping for no explicit reason is disallowed, and overall, that's not a bad thing. The only grey area instance would be "preventative maintenance" types of log checks, which are probably best done with some sort of "robotic" assistance (e.g., a software package which compares log entries and such to known problem patterns) instead of just reading all entries indiscriminately anyway. This may or may not be technically against the current SAU, depending on the details of the package used. The proposed SAU is not finished, but from current reports to the NCC, it has at least some provision for making this type of checking legal. Besides the SAU, there is a set of 'guidelines' in the works clarifying the conditions under which the Vice Provost's office would grant permission semi-automatically and therefore would no longer need to be explicitly asked to do so unless some affected person explicitly objects; the network component of these guidelines is expected to come out by this summer, and NCC has asked that a version covering "server-resident" issues which are not explicitly tied to the network, but are affected by the network SAU, also be considered. These would list categories of or methodology for system log checks and similar "preventative maintenance" actions which would be considered to have minimal impact on user privacy, and thus not violate the intent of the privacy provisions in the SAU. > > Does the AUP committee have any techs, who have to live with the > restrictions of the AUP, on it? Since Michael Seadle of the Library is one of the NCC's representatives on the subcommittee working up recommendations for the new SAU, he might be someone closer to you whom you could ask for more details, but yes, there are definitely technical people both from ACNS and from departments and other administrative units involved (Health Team's Linda Losik, who has been part of this discussion thread, among them). > > Don Bosman > Information Technologist > Michigan State University, Libraries > 100 Library > East Lansing, MI 48824 > 517-432-6123 ex 233 > [log in to unmask] > [...] The idea of having this discussion at a meeting is a good one. The next MSU NAG meeting is tentatively scheduled for the afternoon of Friday, April 22nd (start time flexible in the range of 1:15 to 3 pm). If this is really undoable for some of the people who have been suggested as speakers/discussion leaders, please contact me (not the whole list) and perhaps I can find another calendar slot. I'll read through the thread again in a couple of days and see who's willing, who's not, and who can't, and then make an announcement. -- George ------------------------------------------------------------------------- George J Perkins http://www.pa.msu.edu/people/perkins/ 1209B BPS Bldg, MSU Phone: 517-355-9200 ext 2567 East Lansing, MI 48824-2320 FAX: 517-353-4500