1006: Guidelines for Systems and Network Administrators
Computer systems and network administrators (SNAs), by the nature of their work, have privileges and responsibilities that other users of technology generally do not have. Without system privileges, SNAs would not be able to do their jobs. The use of these privileges must be wise and thoughtful. These guidelines were developed to articulate responsibilities SNAs have in addition to those outlined in Georgetown University’s Computer Systems Acceptable Use Policy.
- SNAs are bound by the Computer Systems Acceptable Use Policy. Further, SNAs have a responsibility to educate their users about the Policy.
- All SNAs have an additional responsibility to assure the operation, security and integrity of Georgetown University’s computers, networks, and data.
- Consistent with the other obligations imposed on them under the Computer Systems Acceptable Use Policy, other applicable University policies, and the law, SNAs will treat as confidential any private and/or confidential information obtained during system administration. The policy on Confidential Information, #403, published in the Human Resources Manual also applies.
- SNAs must not disclose privileged and confidential information about Georgetown University’s systems or any other information that could prove detrimental to operations or compromise system security.
- It is against University policy for an SNA to read a user’s files. However, SNAs, in the course of routine system administration, may need to delete or archive user files or messages. In order to do this, SNAs must first promulgate a clear policy to the users describing how and when delete or archive actions will be taken. These policies may vary by department. This section does not, however, grant SNAs authority to read user files or messages during routine system administration. Procedures for obtaining authorization to read user files or messages in routine, non-emergency and emergency situations are contained below.
- When reacting to or preventing actions by users that may violate the Computer Systems Acceptable Use Policy or other actions by users that may have significantly detrimental effects on system or network operation, SNAs may need to read, modify or delete user files or messages. Procedures for taking these actions and documenting any access of user files or messages are attached.
- SNAs will take all practical measures to ensure that all hardware and software license agreements are faithfully executed on all systems, networks, servers, and computers for which he or she has responsibility.
These procedures were designed to balance five issues: 1) protecting users’ privacy; 2) protecting the System or Network Administrator (SNA) in the performance of his or her job; 3) allowing routine administrative actions that might affect users’ files; 4) providing a mechanism to allow non-routine, non-emergency access to users’ files when it can be justified; and 5) providing guidelines for the occasional need to take immediate action. The ability of an SNA to read a user’s files does not imply that he or she may do so without obtaining the approval required by these procedures.
During routine administration SNAs may need to archive or delete user files or messages from the system; for example, this usually is due to physical data storage limits or an individual’s departure from the University. In this situation, it is not necessary for an SNA to read or view user files; all work is done using system utilities, machine to machine. Given that these situations are foreseeable, each organization responsible for a computer or network system on which these actions will take place must define how and when they will occur. Reasonable efforts must then be made to ensure that system users understand the policy.
Non-routine, non-emergency situations may occur where it is necessary to examine a user’s files without being able to obtain his/her specific permission or authorization. Typically, there will be no threat to the operations or security of the computer or network system. The intent of these procedures is to separate the authority to read user files or messages from the technical ability to do so. This separation attempts to protect both the user and the SNA.
- An administrator with substantial cause to gain access to user files or messages not their own must send a written request to the Associate Vice President for University Information Services or previously designated representative responsible for the system wherein those files or messages reside. The reason(s) must be clearly stated.
- The CIO, or previously designated representative, will evaluate the request and make a recommendation. If the recommendation is that the user’s files be accessed, the CIO, or previously designated representative, will forward that recommendation, with the original request, to the Executive Vice-President for the Main Campus, the Executive Vice- President for the Medical Center, the Executive Vice President for the Law Center, the Vice President for Finance and Treasurer, the Vice President for Alumni and University Relations, or the Senior Vice President, based on the organizational component of the University to which the user belongs. Requests from the above named administrators will be approved by the President. The authority given to Vice Presidents, including Executive Vice Presidents, and the President, under this paragraph may not be delegated.
- If the appropriate University official approves the request, the cognizant CIO, or representative will authorize an SNA to access the user’s files. A complete report will be made to the user, the original requester and the appropriate University official(s).
Situations will occur that pose immediate threats to the operations or security of computer or network systems. Because of the immediacy, the SNA will need to intervene without obtaining the written permission usually required before taking actions that may affect user files, messages or system access privileges. The intent of these procedures is to allow SNAs to take appropriate, timely action when protecting University computer systems while ensuring that the user and appropriate University officials will be made aware of the situation as soon as possible.
- If a SNA determines that user files or messages pose a significant threat to the operation or security of a University computer or network system, he or she will take appropriate action to correct the problem. Additionally, the SNA may temporarily restrict the user’s access to that computer or network system. The SNA will not perform any action on user files or messages that are not relevant to the current problem and will not take any technical action, at this point, that would permanently deprive the user of access to the computer or network system.
- If possible, the SNA should consult with his/her supervisor prior to taking action. As soon as possible after action is taken, but no later than the next business day, the SNA will make a written report to his or her immediate supervisor outlining the nature of the situation, including, but not limited to: the nature of the threat; protective actions taken; the user(s) involved; the user files or messages that were affected.
- After appropriate review, the SNA’s supervisor will forward the report, along with any recommendations, to the CIO responsible for the affected system and to the CIO Council.
- After appropriate review, the CIO, or previously designated representative, will evaluate the situation. The CIO, or previously designated representative, will forward a report of the situation to the appropriate office as outlined below. The CIO, or previously designated representative, in consultation with the cognizant SNA, will make a further determination as to whether a temporary restriction on the user’s access is appropriate.
In any incident that may be a violation of the Computer Systems Acceptable Use Policy, the role of the SNA and other staff is to serve as investigators. Often in the course of the investigation when talking with a user, the user admits the action and the situation is resolved. Incidents that are not resolved during investigation or that are determined to be repeat offenses are considered to be policy violations and will be handled as follows:
- Policy violations by students will be handled in accordance with the Student Code of Conduct and referred to the Office of Student Conduct.
- Policy violations by faculty or NTAs will be treated as academic matters and will be referred to the appropriate academic official and/or cognizant vice-president.
- Policy violations by University employees who are not faculty will be handled in accordance with Georgetown University Policy #302, Disciplinary Actions and Dismissals and referred to the head of that employee’s department.
- It is understood that University policy does not preclude enforcement under the laws and regulations of the United States of America or the District of Columbia.
Any Georgetown University student, employee or contractor hired by the University who has any responsibility for Computer System and Network Administration must comply this policy.
Contact the Associate Vice President for University Information Services if you have questions or if you would like more information about this policy.