January 17-18, 2002

ITEM 114-104-R0102   Board of Regents Policies and Procedures Manual: Information Technology; Privacy, Security and Monitoring (1) (New)


No. 1

Scope:

This policy applies to all MUS individuals using MUS-owned or managed computing and information resources (hereinafter "users").

 

Purpose:

This policy outlines the general rules governing the MUS's rights and responsibilities to monitor the use of the computers and networks it operates, and the balance between those rights and responsibilities and the expectation of a reasonable degree of privacy in the use of those facilities by users.

 

Requirements

The MUS has the legal responsibility to assure that the computers and networks it operates are used appropriately. The data contained on those computers and transmitted on those networks are presumed to be MUS property unless MUS's rights are otherwise limited by law, policy or contract. In any case, the data contained on those computers and transmitted on those networks is subject to control, inspection and monitoring by the MUS. In order to meet its obligations, the MUS, through specific designated personnel, will either routinely or for a specific purpose monitor certain types of activity on its computers and network.

The types of activities the MUS will monitor and on which they will maintain records (e.g., activity logs) include, but are not limited to:

  1. e-mail sent from or received by email systems operating on MUS sites;
  2. accesses to external Web sites originating from MUS sites;
  3. other significant external network activity originating from or received by MUS sites; and
  4. the stored contents of permanent memory attached to MUS computers (e.g., including installed software and software version information, system data, and user data).

The MUS's general interests in these aspects stem from both its obligations to prevent misuse and its commitments to its users to provide certain services, such as system and user data backups in case of system failures, reasonable and robust network performance, optimized access paths for frequently accessed Web sites, optimized network performance for other types of network activity (e.g., video conferencing, remote high speed computation), guarantees that system software is updated appropriately and efficiently, and blocking and/or detecting the sorts of disruptive activity characterized as hacking or system cracking, virus/worm infection, and denial of service. Routine network monitoring typically focuses on "general" patterns of use, but attempts to optimize performance, detect anomalies, and track down possible intrusions can and will lead to user-specific monitoring;. Activities such as doing routine "back ups" for user data files and email systems always involves collecting and copying user-specific data.

Information gained through monitoring will be held in confidence by the MUS when required by law, but records obtained by monitoring may be used within the MUS by MUS officials and employees for purposes appropriate to the management and administration of the MUS, including the investigation of any kind of possible misconduct by a user or a third party. In addition, records will be released if necessary to comply with a court order or other legal instrument binding upon the MUS or its officials. Requests by members of the public for records will be complied with in a fashion consistent with the law on public access to records and privacy. Persons requesting public disclosure of such records may be assessed the reasonable cost of time and material used to meet the request.