Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Sniffer notification

From: Neil_Sachnoff <Neil_Sachnoff () MIDDLESEXCC EDU>
Date: Tue, 23 Mar 2004 11:14:52 -0500
Our Acceptable Use Policy includes the following statements:



"To insure adherence to these standards and protect the integrity of its
computing resources, the college reserves the right to monitor such
resources.  Any behavior in violation of the college's standards is cause
for disciplinary action."



Neil S. Sachnoff, Executive Director, Information Technology

Middlesex County College

2600 Woodbridge Avenue, JLC Rm. 209

Edison, NJ 08818-3050

V-732.906.2601/Fax 732.548.6814

Neil_Sachnoff () MiddlesexCC edu

Web: http://www.MiddlesexCC.edu <http://www.middlesexcc.edu/>



-----Original Message-----
From: Tracy Mitrano [mailto:tbm3 () CORNELL EDU]
Sent: Tuesday, March 23, 2004 11:12 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Sniffer notification



Just curious on this thread about a related question:

        How many schools have IT policies that state something to the effect
of:

        "[Name of Institution] does not as a practice monitor its network
for content"

Please note that such a statement does not prevent whatever technical
measures are necessary for security and maintenance, as is explained by
additional policy language.

Thanks!

Tracy




At 10:55 AM 3/23/2004 -0500, Richard Gadsden wrote:



On Tue, 23 Mar 2004, Cal Frye wrote:


We're about to diagnose some networking issues here with rather
aggressive use of Sniffer on student ports. We've always considered this
to be pretty intrusive, and not to be done without notifying the users
involved that we would be listening in. But we don't have written
policies concerning this action, beyond the general statement that we
(1) respect users privacy but (2) reserve the right to sniff should the
need strike us.

Anyone have a quick link to policies and notification documents to be
sent to the user that I might have a look at and/or steal outright? I
worry that there's something I might overlook in the process.


If you're not sure that the existing "general statement" in your policy
authorizes the diagnostic activity that you have in mind, then your first
stop should be your university counsel's office. That should be part of
your standard procedure for anything potentially invasive that's outside
the scope of routine operations.

If your legal counsel advises that you are authorized to proceed based on
your existing policy, then you might, in terms of notification, simply let
the affected users know about the coming diagnostic activity, and
reference the policy that authorizes it.

For example, were I in your shoes, I'd probably be referring the affected
users to the "Privacy and Confidentiality" section of our school's
computer use policy:

 <http://www.musc.edu/ccit/cup/cup2001.html
<http://www.musc.edu/ccit/cup/cup2001.html> >

 --- o ---
 Richard Gadsden
 Director of Computer and Network Security
 Medical University of South Carolina

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/cg/
<http://www.educause.edu/cg/> .

********** Participation and subscription information for this EDUCAUSE
Discussion Group discussion list can be found at
http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.
Previous By Date Next
Previous By Thread Next

Current thread: