ITCC / IT Retreat

Data Access ProcedureDecember 10, 2009

Karl F. Lutzen Information Security Officer

Summary of UM System AUP Changes

• Electronic information is subject to examination, including (but not limited) to:– It is necessary to maintain or improve the functioning of

University computing resources;– There is a suspicion of misconduct under University

policies, or suspicion of violation of Federal or State laws;

– It is necessary to comply with or verify compliance with Federal or State law including e-discovery procedures; or

– If it will serve a legitimate business need of the University.

Reasons

• AUP needed changes mostly due to– E-discovery requirements– Situations where information is required for

mission continuity – ensuring that mission of the University and department are met

Process Required for Item 4

• All campuses must have a defined process with minimums:– All requests must be documented and retained– Request must be approved by a minimum set of approvers:

• If the request affects a faculty member, an approval by a faculty representative.

• An approval by one of the following University administrators at the Chancellor, Vice Chancellor, Provost or Vice Provost level as follows:

» Students including student employees –  Student Affairs» Staff – Administrative Services or Human Resources» Faculty – approval from the Chancellor or Provost or designee

• Approval by the business unit Chief Information Officer (CIO) or designee

Preservation of Data

• There is a clause for preservation of electronically stored information.– A general officer or their direct reports in

advance of an access request approval may authorize data retention

S&T Process

• We have defined a process that includes these as well as additionally:– Requires keywords for searches (we do not

give direct access to the account)– Areas must be defined as to where we search– Perform legal checks prior to search:

• Grievance • Pending litigation:

– UM Legal– Student Affairs

S&T Process (cont)

• Searches are to be conducted by Information Security only.

• Records are filed with the campus Information Security Officer

• Information Security Personnel may NOT be one of the authorized signatures if CIO is not available. Another suitable delegate must be identified prior to search

IT Process - Preservation

• Work in progress• Currently:

– Any such request must be identified as in the request form

– Data is secured, not analyzed, and if access request does not appear in a reasonable time, data copy will be destroyed.

– Time needs better definition. Currently held no more than 12 months.

Statistics

• In addition, all campuses must annually disclose statistics on faculty accounts being accessed.

• Action Items: – When should this report occur?– Who to send it to?– Format?

Faculty Representative

• Need to identify:– Campus faculty representative – Alternate/Delegate for all signers when

primary representative is unavailable• Must be kept current

– Need to determine online documentation

(IT will work on this and report back)

Subsequent Searches

• Currently, it is Information Security’s view that any additional keywords requires a new request be filed and approved prior to the new search.

• Reason: Could be a “fishing” expedition.• This needs more discussion (breakout

session)

Learning Management Data

• Issue: – Instructor unavailable to teach current

semester– Data does reside in Blackboard (or other

official LMS IT has access to).• What process for providing course data to

ensure mission continuity?• Should it be the same as regular request

or is this published data different?

Breakout Session• Annual faculty data access report:

– When? To Whom? What Format?

• Faculty representative:– Identify primary representative and delegate(s).

• Subsequent searches:– New request form or other?

• Data Preservation time:– How long? <=12 months in current draft

• Learning Management Data– What process for access?