VIII. Special Responsibilities of System and Network Administrators
Administrators of information technology bear a heavy responsibility to maximize the availability and utility of the systems they manage while at the same time honoring individual users’ justifiable expectations of an information and communications environment that is "safe" for its users. In addition to having all the responsibilities of any other user as described above, system administrators are granted certain system privileges which make it possible for them to manage the technical resources under their control. System privileges may permit access to initial passwords, files, voice mail, telephone or electronic communication, and information about individual usage patterns. These privileges are necessary for doing their jobs, but have tremendous potential for abuse as well. Such abuse is a violation of University policy and this section outlines the unique responsibilities and obligations of system and network administrators.
These special responsibilities accompany the granting of any network or system privileges to any member of the University community, whether faculty, student or staff. System administrators to whom this applies include individuals who administer departmental, college or institutional servers; individuals who administer network devices such as modems and routers; individuals responsible for telephone services; and individuals who have any level of privileged access to institutional information systems. Under no circumstances will abuse of system privileges be tolerated and violations will be considered as legitimate cause for disciplinary action up to and including termination and/or legal prosecution. Individuals who are not willing to accept these responsibilities should not be in positions which require system privileges in order to perform their duties.
In addition, individual systems and servers can be carelessly mismanaged not only to the detriment of the users of that system or service but to the detriment of the entire institution. Before making the decision to install a server, the responsible administrator should be prepared to commit the time and resources necessary to ensure proper management. This includes designation of a professional system administrator who will have the time and expertise to understand the technical implications of their systems, maintain current on vulnerabilities, software patches and new releases, and be able to address urgent issues on an immediate basis. Failure to do so may endanger not only the integrity of services provided to one’s own users but to the institution as a whole. The University will not hesitate to disconnect improperly managed systems that endanger the integrity of institutional networks, systems or services and it will be the sole responsibility of the unit’s system administrator or its management to remedy the situation.
While the following list is not considered to be all-inclusive, it establishes the framework for unacceptable behaviors. University management has the responsibility to ensure that system administrators within their units address these matters and should not permit the establishment of servers and services within their units unless they understand the potential for abuse and accept responsibility for compliance. And users should be welcomed to discuss any or all of these matters with their system administrators. All perceived violations of these guidelines should be reported to the appropriate dean, director, provost or vice-president.
A. System administrators shall protect individual passwords
Users have the right to expect that their passwords be treated with complete confidentiality. Passwords should never be divulged to a third party except as necessary in the course of distributing a new password to a user. System administrators should take the utmost care in how passwords are distributed, striving for the best possible balance between a user’s needs for privacy and convenience. Any time a password is transmitted to a user the user should be advised to change their password immediately to protect against any possible disclosure during the transmission.
B. System administrators shall not browse, inspect or copy users’ information
System administrators may not browse the contents of user files or messages -- whether on-line or from backups -- without the user’s permission. Inspection of information is permitted only upon specific authorization from a dean, director, provost, vice-president or legal authorities as part of a duly authorized investigation or for official University business. As a matter of professionalism, system administrators should avoid direct or indirect contact with users’ information and communication content whenever possible. In spite of their best efforts system administrators may from time-to-time encounter confidential information in the performance of their duties. Under no circumstances should such information be acted upon, divulged, or used for the personal benefit or profit of anyone. Violations of this trust endanger the viability of the institutional information infrastructure and will not be permitted. . However, system administrators may perform routine scans and are encouraged to utilize standard security tools to check for potentially damaging or illegal software on institutional systems.
C. System and network administrators shall not routinely collect information on individuals’ information usage patterns
The University expects that the members of its community will access a rich variety of information and communication resources in the course of their academic activities. System administrators shall not monitor or collect data regarding the activities of individuals unless specifically authorized to do in the context of a duly authorized investigation. This is not intended to interfere with the responsibility of system administrators to collect and analyze general anonymous information about the overall patterns of usage of information technology resources. Such information is a vital tool in ensuring the adequacy of the institutional technology environment to meet the needs of its users. Nor are system administrators obliged to spend undue efforts disabling the routine logging activities that are built into many server operating systems.
D. System administrators shall configure software systems so as to maximize the confidentiality of user communication
Administrators of email servers in particular bear a responsibility to respect the privacy of their users’ communication. Email systems should be configured so as to maximize privacy. For example, email that is rejected for technical reasons should be returned to the sender rather than to the "postmaster." And routine error notification messages to the postmaster should contain only message headers, not the message contents. Users are encouraged to ask their email administrator how email systems are configured and under what circumstance their email may be disclosed.
E. System administrators shall configure systems to enforce appropriate password policies
Most server operating systems have configurable options for password security. UH system administrators should use these options to comply with the UH password policy in Appendix C. In addition, system administrators should ensure that all activities relating to security changes are handled in accord with a written policy and are documented. E.g., system privileges should not be given to individuals who do not need them to perform their job, and the granting of such privileges should be documented. Procedures should be in place for emergency access to critical passwords needed in case of system failure when the usual system administrator(s) may not be available. The level of formality and detail of the security policy and practices may be dependent on the role and importance of specific systems and services.
F. System administrators shall stay abreast of any vulnerabilities of their systems and manage security in accord with appropriate recommendations
System administrators are responsible for remaining up-to-date at all times with security issues relevant to the systems they administer. This may be done through means such as their vendors’ information channels or Computer Emergency Response Team (CERT) bulletins. System administrators are required to use this information to apply all recommended security patches in a timely manner.
G. System administrators should configure their systems to minimize the chance for abuse, and act promptly to end abuses upon notification
Certain kinds of disruptions rely on the naiveté of system administrators on the Internet. Any perception that the University of Hawai‘i is a haven for such abusers endangers the ability of the University community to communicate with others. For example, external sites that have been attacked by someone using a University of Hawai‘i system as the instrument of the attack may find that they can only safeguard themselves by blocking all traffic from the University of Hawai‘i. As just two examples of the kinds of measures that should be taken, email administrators should block anonymous email relays through their systems and network administrators should block the forging of IP source addresses from within networks they manage. As noted above, the University will not hesitate to disconnect improperly managed systems that endanger the integrity of institutional networks, systems or services and it will be the sole responsibility of the unit’s system administrator or its management to remedy the situation.
H. System administrators shall publicize backup policy
As noted above, backups present a means by which information may be recovered that users believe to have been deleted. Backup policies determine the persistence of deleted information and therefore users have a right to know the backup policy of all systems they use. System administrators should post this policy or make it easily available to their users upon request.