Charter for System and Network Administrators

Revised June 2002

Preamble

This document is based on a draft prepared by the Head of UKERNA's Computer Emergency Response Team (CERT). That draft was endorsed by the Universities and Colleges Information Systems Association (UCISA) and by the IT Syndicate at Cambridge.

The charter is useful to three groups: to users who wish to know the powers of system and network administrators and to be assured that these will not be abused; to such administrators themselves who are often concerned about the legality and implications of their actions; to Heads of Departments and, in Colleges, to Bursars and Senior Tutors so that they understand what are the reasonable requirements of system and network administrators' jobs and what activities they will be required to support.

It is suggested that this charter, or an equivalent statement of rights and responsibilities, should form part of (or be referenced from) the job description or job instructions of any person employed by a Department or College as a system or network administrator.

Acceptance of the rights and privileges of authorised administrators is a condition of use of any computer connected to the CUDN and also of connecting any computer to a departmental or College network connected to the CUDN.

Introduction

System and network administrators, as part of their daily work, need to perform actions which may result in the disclosure of information held by other users in their files, or sent by users over communications networks. This charter sets out the actions of this kind which authorised administrators may expect to perform on a routine basis, and the responsibilities which they bear to protect information belonging to others. Administrators also perform other activities, such as disabling machines or their network connections, that have no privacy implications; these are outside the scope of this charter and are part of local working arrangements in the Department or College concerned.

On occasion, administrators may need to take actions beyond those described in this charter. Some of these situations are noted in the charter itself. In all cases administrators must seek individual authorisation from the appropriate person for the specific action they need to take. These exceptional activities may well have legal implications for both the individual and the organisation, for example under the Human Rights Act. Institutions should therefore ensure that they have procedures in place to allow such authorisation to be obtained promptly in all circumstances (a suitable proforma for such authorisation appears at the end of the charter). Keeping good records, preferably against a pre-prepared checklist, will help to protect the investigator and the institution from any charge of improper actions.

Authorisation and Authority

System and network administrators require formal authorisation from the "owners" of any equipment they are responsible for. The law refers to "the person with a right to control the operation or the use of the system". In a Department this is normally the Head of Department and, in a College, the Bursar or Senior Tutor, since in Cambridge responsibility for networks and computers is delegated to the Departments and Colleges. For Computing Service systems, the responsible person is the Director of the Service. Individual systems connected to the network may have more complicated ownership as they may be formally the property of another department or of an individual student or fellow. Authority in these cases needs to be worked out locally. However, note that for network administration purposes, the authority ultimately rests with the Computing Service, since it is a condition of connection to the CUDN (or to Departmental and College networks connected to the CUDN) that the Service shall have right of access to investigate suspected interference with proper operation of the networks (see Authorisation for use of the Cambridge University Data Network ).

Normally, an IT support person, such as a Computer Officer, in a Department or College will be the administrator responsible for the network and systems in that institution, but staff of the Computing Service will carry out any administrative work necessary on Computing Service systems such as the PWF, the Managed Clusters or CUS (in the case of Managed Clusters, close liaison would be expected with the administrator in the institution concerned). If any administrator is ever unsure about the authority they are working under they should stop and seek advice immediately as otherwise there is a risk that their actions may be in breach of the law.

Permitted Activities

The duties of system administrators can be divided into two areas.

The first duty of an administrator is to ensure that networks, systems and services are available to users and that information is processed and transferred correctly, preserving its integrity. Here the administrator is acting to protect the operation of the systems for which he or she is responsible. For example investigating a denial of service attack or a defaced web server is an operational activity as is the investigation of crime.

Many administrators also play a part in monitoring compliance with policies which apply to the systems. For example some organisations may prohibit the sending or viewing of particular types of material; or may restrict access to certain external sites, or ban certain services from local systems or networks. Both the Authorization for Use of the CUDN and the JANET Acceptable Use Policy prohibit certain uses of the network. In all of these cases the administrator is acting in support of policies, rather than protecting the operation of the system.

The law differentiates between operational and policy actions, for example in section 3(3) of the Regulation of Investigatory Powers Act, so the administrator should be clear, before undertaking any action, whether it is required as part of their operational or policy role. The two types of activity are dealt with separately in the following sections.

Operational activities

Where necessary to ensure the proper operation of networks or computer systems for which they are responsible, authorised administrators may:

• monitor and record traffic on those networks or display it in an appropriate form;
• examine any relevant files on those computers;
• rename any relevant files on those computers or change their access permissions (see Modification of Data below);
• create relevant new files on those computers.

Where the content of a file or communication appears to have been deliberately protected by the owner, for example by encrypting it, the administrator must not attempt to make the content readable without specific authorisation from management or the owner of the file.

The administrator must ensure that these activities do not result in the loss or destruction of information. If a change is made to user filestore then the affected user(s) must be informed of the change and the reason for it as soon as possible after the event.

Policy activities

Administrators must not act to monitor or enforce policy unless they are sure that all reasonable efforts have been made to inform users both that such monitoring will be carried out and of the policies to which it will apply. If this has not been done through a general notice to all users then before a file is examined, or a network communication monitored, individual permission must be obtained from all the owner(s) of files or all the parties involved in a network communication.

Provided administrators are satisfied that either a general notice has been given or specific permission granted, they may act as follows to support or enforce policy on computers and networks for which they are responsible:

• monitor and record traffic on those networks or display it in an appropriate form;
• examine any relevant files on those computers;
• rename any relevant files on those computers or change their access permissions or ownership (see Modification of Data below);
• create relevant new files on those computers.

Where the content of a file or communication appears to have been deliberately protected by the owner, for example by encrypting it, the administrator must not attempt to make the content readable without specific authorisation from management or the owner of the file.

The administrator must ensure that these activities do not result in the loss or destruction of information. If a change is made to user filestore then the affected user(s) must be informed of the change and the reason for it as soon as possible after the event.

Disclosure of information

System and network administrators are required to respect the secrecy of files and correspondence.

During the course of their activities, administrators are likely to become aware of information which is held by, or concerns, other users. Any information obtained must be treated as confidential - it must neither be acted upon, nor disclosed to any other person unless this is required as part of a specific investigation:

• Information relating to the current investigation may be passed to managers or others involved in the investigation;
• Information that does not relate to the current investigation must only be disclosed if it is thought to indicate an operational problem, or a breach of local policy or the law, and then only to management for them to decide whether further investigation is necessary.

Administrators must be aware of the need to protect the privacy of personal data and sensitive personal data (within the meaning of the Data Protection Act 1998) that is stored on their systems. Such data may become known to authorised administrators during the course of their investigations. Particularly where this affects sensitive personal data, any unexpected disclosure should be reported to the relevant data controller.

Modification of Data

For both operational and policy reasons, it may be necessary for administrators to make changes to user files on computers for which they are responsible. Wherever possible this should be done in such a way that the information in the files is preserved:

• rename or move files, if necessary to a secure off-line archive, rather than deleting them;
• instead of editing a file, move it to a different location and create a new file in its place;
• remove information from public view by changing permissions (and if necessary ownership).

Where possible the permission of the owner of the file should be obtained before any change is made, but there may be urgent situations where this is not possible. In every case the user must be informed as soon as possible what change has been made and the reason for it.

The administrator may not, without specific individual authorisation from the appropriate authority modify the contents of any file in such a way as to damage or destroy information.

References

It is not possible to list here all the legislation which applies to the work of system and network administrators. However the following Acts are particularly relevant to the activities covered by this charter.

• The Regulation of Investigatory Powers Act (2000) and the secondary Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000.
• The Data Protection Act (1998).
• The Human Rights Act (1998).

The Office of the Information Commissioner is to publish guidelines on monitoring of electronic mail. JISC have published Senior Management Briefing Papers which discuss the specific implications of legislation for the education community:

• The Data Protection Act (1998);
• The Regulation of Investigatory Powers (RIP)Act 2000: Email and Telephone Monitoring

A selection of examples has been written by UKERNA to illustrate how the charter might be applied to particular situations.

Authorisation proforma

A proforma for authorisation for exceptional surveillance is available as a rtf file that can then be modified by end users.

With acknowledgements to UKERNA, July 2002