ITCC / IT Retreat

1. ITCC / IT Retreat Data Access Procedure December 10, 2009 Karl F. Lutzen Information Security Officer

2. Summary of UM System AUP Changes • Electronic information is subject to examination, including (but not limited) to: • It is necessary to maintain or improve the functioning of University computing resources; • There is a suspicion of misconduct under University policies, or suspicion of violation of Federal or State laws; • It is necessary to comply with or verify compliance with Federal or State law including e-discovery procedures; or • If it will serve a legitimate business need of the University.

3. Reasons • AUP needed changes mostly due to • E-discovery requirements • Situations where information is required for mission continuity – ensuring that mission of the University and department are met

4. Process Required for Item 4 • All campuses must have a defined process with minimums: • All requests must be documented and retained • Request must be approved by a minimum set of approvers: • If the request affects a faculty member, an approval by a faculty representative. • An approval by one of the following University administrators at the Chancellor, Vice Chancellor, Provost or Vice Provost level as follows: • Students including student employees –  Student Affairs • Staff – Administrative Services or Human Resources • Faculty – approval from the Chancellor or Provost or designee • Approval by the business unit Chief Information Officer (CIO) or designee

5. Preservation of Data • There is a clause for preservation of electronically stored information. • A general officer or their direct reports in advance of an access request approval may authorize data retention

6. S&T Process • We have defined a process that includes these as well as additionally: • Requires keywords for searches (we do not give direct access to the account) • Areas must be defined as to where we search • Perform legal checks prior to search: • Grievance • Pending litigation: • UM Legal • Student Affairs

7. S&T Process (cont) • Searches are to be conducted by Information Security only. • Records are filed with the campus Information Security Officer • Information Security Personnel may NOT be one of the authorized signatures if CIO is not available. Another suitable delegate must be identified prior to search

8. IT Process - Preservation • Work in progress • Currently: • Any such request must be identified as in the request form • Data is secured, not analyzed, and if access request does not appear in a reasonable time, data copy will be destroyed. • Time needs better definition. Currently held no more than 12 months.

9. Statistics • In addition, all campuses must annually disclose statistics on faculty accounts being accessed. • Action Items: • When should this report occur? • Who to send it to? • Format?

10. Faculty Representative • Need to identify: • Campus faculty representative • Alternate/Delegate for all signers when primary representative is unavailable • Must be kept current • Need to determine online documentation (IT will work on this and report back)

11. Subsequent Searches • Currently, it is Information Security’s view that any additional keywords requires a new request be filed and approved prior to the new search. • Reason: Could be a “fishing” expedition. • This needs more discussion (breakout session)

12. Learning Management Data • Issue: • Instructor unavailable to teach current semester • Data does reside in Blackboard (or other official LMS IT has access to). • What process for providing course data to ensure mission continuity? • Should it be the same as regular request or is this published data different?

13. Breakout Session • Annual faculty data access report: • When? To Whom? What Format? • Faculty representative: • Identify primary representative and delegate(s). • Subsequent searches: • New request form or other? • Data Preservation time: • How long? <=12 months in current draft • Learning Management Data • What process for access?