Procedures in Support of the Acceptable Use Policy
Approved June 4, 1996
Modified: November 14, 1996
Approved with modifications by the Academic Senate: June 23, 1997
Guiding Principles: These procedures were designed to balance five issues: (1) protecting users' privacy; (2) protecting the System or Network Administrator (SNA) in the performance of his or her job; (3) allowing routine administrative actions that might affect users' files; (4) providing a mechanism to allow non-routine, non-emergency access to users' files when it can be justified; and (5) providing guidelines for the occasional need to take immediate action. The ability of an SNA to read a user's files does not imply that he or she may do so without obtaining the approval required by these procedures.
A. Routine Operations
During routine administration SNAs may need to archive or delete user files or messages from the system; for example, this usually is due to physical data storage limits or an individual's departure from the University. In this situation, it is not necessary for an SNA to read or view user files; all work is done using system utilities, machine to machine. Given that these situations are foreseeable, each organization responsible for a computer or network system on which these actions will take place must define how and when they will occur. Reasonable efforts must then be made to ensure that system users understand the policy.
B. Non-emergency Situations
Non-routine, non-emergency situations may occur where it is necessary to examine a user's files without being able to obtain his/her specific permission or authorization. Typically, there will be no threat to the operations or security of the computer or network system. The intent of these procedures is to separate the authority to read user files or messages from the technical ability to do so. This separation attempts to protect both the user and the SNA.
- An administrator with substantial cause to gain access to user files or messages not their own must send a written request to the Vice President for Information Services and Chief Information Officer (CIO) or previously designated representative responsible for the system wherein those files or messages reside. The reason(s) must be clearly stated.
- The CIO, or previously designated representative, will evaluate the request and make a recommendation. If the recommendation is that the user's files be accessed, the CIO, or previously designated representative, will forward that recommendation, with the original request, to the Provost, the Executive Vice-President for the Medical Center, the Executive Vice President for the Law Center, the Vice President for Administrative Services, the Vice President for Finance and Treasurer, the Vice President for Alumni and University Relations, or the Senior Vice-President, based on the organizational component of the University to which the user belongs. Requests from the above named administrators will be approved by the President. The authority given to Vice Presidents, including the Provost, the Executive Vice Presidents, and the President, under this paragraph may not be delegated.
- If the appropriate University official approves the request, the cognizant CIO, or previously designated representative will authorize an SNA to access the user's files. A complete report will be made to the user, the original requester and the appropriate University official(s).
C. Emergency Situations
Situations will occur that pose immediate threats to the operations or security of computer or network systems. Because of the immediacy, the SNA will need to intervene without obtaining the written permission usually required before taking actions that may affect user files, messages or system access privileges. The intent of these procedures is to allow SNAs to take appropriate, timely action when protecting University computer systems while ensuring that the user and appropriate University officials will be made aware of the situation as soon as possible.
- If a SNA determines that user files or messages pose a significant threat to the operation or security of a University computer or network system, he or she will take appropriate action to correct the problem. Additionally, the SNA may temporarily restrict the user's access to that computer or network system. The SNA will not perform any action on user files or messages that are not relevant to the current problem and will not take any technical action, at this point, that would permanently deprive the user of access to the computer or network system.
- If possible, the SNA should consult with his/her supervisor prior to taking action. As soon as possible after action is taken, but no later than the next business day, the SNA will make a written report to his or her immediate supervisor outlining the nature of the situation, including, but not limited to: the nature of the threat; protective actions taken; the user(s) involved; the user files or messages that were affected.
- After appropriate review, the SNA's supervisor will forward the report, along with any recommendations, to the AVP/UIS or previously designated representative for the affected system.
- After appropriate review, the CIO, or previously designated representative, will evaluate the situation. The CIO, or previously designated representative, will forward a report of the situation to the appropriate office as outlined below. The CIO, or previously designated representative, in consultation with the cognizant SNA, will make a further determination as to whether a temporary restriction on the user's access is appropriate.
In any incident that may be a violation of the Computer Systems Acceptable Use Policy, the role of the SNA and other staff is to serve as investigators. Often in the course of the investigation when talking with a user, the user admits the action and the situation is resolved. Incidents that are not resolved during investigation or that are determined to be repeat offenses are considered to be policy violations and will be handled as follows:
- Policy violations by students will be handled in accordance with the Student Code of Conduct and referred to the Office of Student Conduct.
- Policy violations by faculty or NTAs will be treated as academic matters and will be referred to the appropriate academic official and/or cognizant vice-president.
- Policy violations by University employees who are not faculty will be handled in accordance with Georgetown University Policy #302, Disciplinary Actions and Dismissals and referred to the head of that employee's department.
It is understood that University policy does not preclude enforcement under the laws and regulations of the United States of America or the District of Columbia.