[unisog] Survey: Monitoring/Logging Policies

Richard Gadsden gadsden at musc.edu
Mon Oct 23 20:58:26 GMT 2006


On Mon, 23 Oct 2006, Giulini,Chad wrote:

> Hello,

> I am hoping some of you on this list may be willing to state whether or
> not your institution collects, monitors, and/or archives logs from
> firewalls and/or IDS/IPS devices.

Yes, we do.

> The specific concern here involves logging user-identifiable activity. 
> I am particularly interested in how this is implemented in other 
> Academic Medical Centers, but any feedback is welcome. [snip]

At our academic medical center, this type of monitoring is authorized (and 
restricted) by a paragraph within the "Privacy and Confidentiality" 
section of our Computer Use Policy, which reads as follows:

"Moreover, the University reserves the right to monitor user activities on 
all University computer systems, and to monitor communications utilizing 
the University network, to ensure compliance with University policy, and 
with federal, state and local law. Monitoring shall be performed only by 
individuals who are specifically authorized, and only the minimum data 
necessary to meet institutional requirements shall be collected. Data 
collected through monitoring shall be made accessible only to authorized 
individuals, who are responsible for maintaining its confidentiality."

Here's a link to our policy:

<http://www.musc.edu/infoservices/cup.html>

Hope this helps...

  --- o ---
  Richard Gadsden
  Information Security Office
  Office of the CIO - Information Services
  Medical University of South Carolina


More information about the unisog mailing list