Main Nav

A colleague posed a question to me this week that left me wondering about conflict-of-interest policies related to union leadership working within IT.    The question was - do they exist? 
 
The context - some IT positions have covert access to all employee files, emails, correspondence, etc.   The nature of the job requires it.  (Disclaimer - our IT staff are awesome and fully trustworthy - but the fact that they *can* do this makes some folks nervous.  I find myself defending this need from time to time. )
 
The question - are these IT employees held to a different standard or degree of responsibility given the power they have?  Are there policies or controls?  Should they be actively involved with union negotiations, grievances, or other highly sensitive issues that traffic our infrastructure?  What if we hire someone who takes advantage of these tools?
 
We have mechanisms in place to manage this here, but the question lingers.   It makes me wonder what others are thinking or doing along these lines.    IT staff have superpowers in this regard.   And there is a 'who is watching the watchmen' theory that persists with some of our customers.   
 
So, that's a long way of asking - what are others doing along these lines?
 
Brad Hinson
********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Comments

I don't have the legislation right in front of me, but my security officer tells me that there is in fact federal law that has stiff penalties for those who abuse their elevated permissions to violate corporate policies.

Mike

On Wednesday, February 15, 2012, Brad Hinson <HinsonB@lanecc.edu> wrote:
> A colleague posed a question to me this week that left me wondering about conflict-of-interest policies related to union leadership working within IT.    The question was - do they exist? 
>  
> The context - some IT positions have covert access to all employee files, emails, correspondence, etc.   The nature of the job requires it.  (Disclaimer - our IT staff are awesome and fully trustworthy - but the fact that they *can* do this makes some folks nervous.  I find myself defending this need from time to time. )
>  
> The question - are these IT employees held to a different standard or degree of responsibility given the power they have?  Are there policies or controls?  Should they be actively involved with union negotiations, grievances, or other highly sensitive issues that traffic our infrastructure?  What if we hire someone who takes advantage of these tools?
>  
> We have mechanisms in place to manage this here, but the question lingers.   It makes me wonder what others are thinking or doing along these lines.    IT staff have superpowers in this regard.   And there is a 'who is watching the watchmen' theory that persists with some of our customers.   
>  
> So, that's a long way of asking - what are others doing along these lines?
>  
> Brad Hinson
> ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

--

-- mike

Michael Roy
Dean of Library and Information Services & Chief Information Officer
Middlebury College

mobile: 860 301 2611
email: mdroy@middlebury.edu
********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Thanks Mike...good to know. It may help to calm the nerves of some of our more concerned customers.

Regards

Gary

On Feb 15, 2012 8:39 PM, "Mike Roy" <mdroy@middlebury.edu> wrote:
I don't have the legislation right in front of me, but my security officer tells me that there is in fact federal law that has stiff penalties for those who abuse their elevated permissions to violate corporate policies.

Mike

On Wednesday, February 15, 2012, Brad Hinson <HinsonB@lanecc.edu> wrote:
> A colleague posed a question to me this week that left me wondering about conflict-of-interest policies related to union leadership working within IT.    The question was - do they exist? 
>  
> The context - some IT positions have covert access to all employee files, emails, correspondence, etc.   The nature of the job requires it.  (Disclaimer - our IT staff are awesome and fully trustworthy - but the fact that they *can* do this makes some folks nervous.  I find myself defending this need from time to time. )
>  
> The question - are these IT employees held to a different standard or degree of responsibility given the power they have?  Are there policies or controls?  Should they be actively involved with union negotiations, grievances, or other highly sensitive issues that traffic our infrastructure?  What if we hire someone who takes advantage of these tools?
>  
> We have mechanisms in place to manage this here, but the question lingers.   It makes me wonder what others are thinking or doing along these lines.    IT staff have superpowers in this regard.   And there is a 'who is watching the watchmen' theory that persists with some of our customers.   
>  
> So, that's a long way of asking - what are others doing along these lines?
>  
> Brad Hinson
> ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

--

-- mike

Michael Roy
Dean of Library and Information Services & Chief Information Officer
Middlebury College

mobile: 860 301 2611
email: mdroy@middlebury.edu
********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Mike 

It would be interesting to see the actually legislation. Any chance the SO could post more information.

Thanks

Bill



Sent from my iPhone

Brad,

We have a couple of IT staff that have union roles, but they generally don't have the kind of superuser permissions you outlined so this specific question has not come.  If they did have that kind of access, I would generally refer to our acceptable use policy that strictly prohibits misuse of any kind.  Of course, that doesn't always calm the nerves of the person concerned about such misuse.  I would also like to see the specific legislation a couple of our colleagues have mentioned in response to this post.

Regardless of union involvement, we occasionally get the "who is watching the watchperson" question.  Again, I point to our AUP and simply remind my colleagues that we take our role in protecting the information assets of the institution very seriously.  Ultimately, they have to put their trust in us.  We have appropriate controls in place to detect problems and can report to them regularly on our monitoring efforts.  If they suspect there is wrongdoing afoot, please let me know and I will deal with it swiftly.  If they don't trust me they always have the option of calling in an outside agency to audit.  This is probably not the most satisfactory response for most people.  I think folks are often looking for some sort of guarantee that nothing bad will happen.

Joe
______________________________________
Joseph Moreau
Chief Technology Officer
State University of New York at Oswego
509 Culkin Hall
7060 State Route 104
Oswego, NY  13126
joseph.moreau@oswego.edu
315-312-5500 office
315-806-2166 mobile
315-312-5799 fax
______________________________________


Message from jenos@fandm.edu

Hi All,

We post our ITS code of conduct http://www.fandm.edu/its/policies/security/codeofconduct and have every ITS employee sign it and keep of record of that on file.  This issue hasn't surfaced for a number of years here.

Jon




Message from alfred.essa@gmail.com

Joseph Moreau has it right, I believe. 

In my previous position the majority of IT staff were unionized and some held leadership positions in the union.  It's irrelevant whether the IT employee has a union role. 

The AUP defines appropriate use of data and access. If an IT staff, union member or not, tries to access data not appropriate to their job, they should know that they will be fired on the spot. In most cases we can tie AUP to audit trails and controls, especially for sensitive data.

Alfred Essa 

Disclaimers: I’m not a lawyer, and the personal views expressed do not reflect the opinions of my organization…

 

Not sure if these are the right ones, but I believe two pieces of legislation that may apply to abusing privileges are:

 

#1) 18 U.S.C. § 2701.  Unlawful Access to Stored Communications

  (a) Offense - Except as provided in subsection (c) of this section whoever -

     (1) intentionally accesses without authorization a facility through which an electronic communication service is provided; or

     (2) intentionally exceeds an authorization to access that facility; and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage in such system shall be punished as provided in subsection (b) of this section.

  (b) Punishment - The punishment for an offense under subsection (a) of this subsection is -

     (1) if the offense is committed for purposes of commercial advantage, malicious destruction or damage, or private commercial gain -

        (A) a fine under this title or imprisonment for not more than one year, or both, in the case of a first offense under this subparagraph; and

        (B) a fine under this title or imprisonment for not more than two years, or both, for any subsequent offense under this subparagraph; and

     (2) a fine under this title or imprisonment for not more than six months, or both, in any other case.

  (c) Exceptions - Subsection (a) of this section does not apply with respect to conduct authorized -

     (1) by the person or entity providing a wire or electronic communications service;

     (2) by a user of that service with respect to a communication of or intended for that user; or

     (3) in section 2703, 2704 or 2518 of this title.

 

The university, as the service provider, can authorize individuals to perform regular tasks such as virus scanning, space utilization analysis, etc. Anything beyond those specified tasks could be viewed as exceeding authorization.

 

#2) 18 U.S.C. § 2511 : Interception and disclosure of wire, oral, or electronic communications prohibited

(1) Except as otherwise specifically provided in this chapter any person who -

  (a) intentionally intercepts, endeavors to intercept, or procures any other person to intercept or endeavor to intercept, any wire, oral, or electronic communication;

[…]

  (c) intentionally discloses, or endeavors to disclose, to any other person the contents of any wire, oral, or electronic communication, knowing or having reason to know that the information was obtained through the interception of a wire, oral, or electronic communication in violation of this subsection;

  (d) intentionally uses, or endeavors to use, the contents of any wire, oral, or electronic communication, knowing or having reason to know that the information was obtained through the interception of a wire, oral, or electronic communication in violation of this subsection; or

[…]

(2)

  (a) (i) It shall not be unlawful under this chapter for an operator of a switchboard, or an officer, employee, or agent of a provider of wire or electronic communication service, whose facilities are used in the transmission of a wire or electronic communication, to intercept, disclose, or use that communication in the normal course of his employment while engaged in any activity which is a necessary incident to the rendition of his service or to the protection of the rights or property of the provider of that service, except that a provider of wire communication service to the public shall not utilize service observing or random monitoring except for mechanical or service quality control checks.

[...]

  (d) It shall not be unlawful under this chapter for a person not acting under color of law to intercept a wire, oral, or electronic communication where such person is a party to the communication or where one of the parties to the communication has given prior consent to such interception unless such communication is intercepted for the purpose of committing any criminal or tortious act in violation of the Constitution or laws of the United States or of any State.

[...]

(4)(a) Except as provided in paragraph (b) of this subsection or in subsection (5), whoever violates subsection (1) of this section shall be fined under this title or imprisoned not more than five years, or both.

[...]

 

Section 2511 also suggests that employees are authorized to perform certain tasks inherent to their assigned duties (bandwidth monitoring, troubleshooting switches, observing email queues, etc.), but that there are limits on what is acceptable.

 

I’m not familiar with specific cases that have resulted in penalties, but it appears that jail is not out of the realm of possibility. Probably not very likely, but hopefully still an effective deterrent for those who are tempted to abuse their elevated permissions.

 

After mentioning these potential consequences of professional misconduct to concerned community members, they usually walk away satisfied that IT’s “absolute power” is not being abused.

 

Richard Loesch, MBA
Chief Information Officer,
Information Technology Services
Rosalind Franklin University of Medicine and Science
http://www.rosalindfranklin.edu
Phone: 847.578.3225
Fax: 847.578.3202

 

Confidentiality Notice:
This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information.  Any unauthorized review, use, disclosure or distribution is prohibited.  If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message.

 

From: The EDUCAUSE CIO Constituent Group Listserv [mailto:CIO@LISTSERV.EDUCAUSE.EDU] On Behalf Of Bill Penney
Sent: Wednesday, February 15, 2012 8:13 PM
To: CIO@LISTSERV.EDUCAUSE.EDU
Subject: Re: [CIO] IT conflict-of-interest ?

 

Mike 

 

It would be interesting to see the actually legislation. Any chance the SO could post more information.

 

Thanks

 

Bill

 



Sent from my iPhone


Like Franklin & Marshall, Alma College has a standard of conduct that IT staff sign.  We had a recent situation where our Counseling & Wellness Center purchased a software package and thought it should be on a server located in their office to protect HIPAA rights.  We convinced the Director that the data would be more secure in a firewall protected data center.  In this situation our standard of conduct functioned as a confidentiality agreement and help grease the wheels to do the right thing.

Keith Nelson
Chief Technology Officer
Alma College

From: "Brad Hinson" <HinsonB@LANECC.EDU>
To: CIO@LISTSERV.EDUCAUSE.EDU
Sent: Wednesday, February 15, 2012 3:58:34 PM
Subject: [CIO] IT conflict-of-interest ?

A colleague posed a question to me this week that left me wondering about conflict-of-interest policies related to union leadership working within IT.    The question was - do they exist? 
 
The context - some IT positions have covert access to all employee files, emails, correspondence, etc.   The nature of the job requires it.  (Disclaimer - our IT staff are awesome and fully trustworthy - but the fact that they *can* do this makes some folks nervous.  I find myself defending this need from time to time. )
 
The question - are these IT employees held to a different standard or degree of responsibility given the power they have?  Are there policies or controls?  Should they be actively involved with union negotiations, grievances, or other highly sensitive issues that traffic our infrastructure?  What if we hire someone who takes advantage of these tools?
 
We have mechanisms in place to manage this here, but the question lingers.   It makes me wonder what others are thinking or doing along these lines.    IT staff have superpowers in this regard.   And there is a 'who is watching the watchmen' theory that persists with some of our customers.   
 
So, that's a long way of asking - what are others doing along these lines?
 
Brad Hinson
********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Here's the legal stuff. The general question is at the bottom. I am late for a meeting - but lunch next week or early the week after?!


____________
Carol Katzman
Vice President for Information Technology
Barnard College, Columbia University
3009 Broadway
New York, New York 10027

For BCIT News & Alerts, please visit http://www.barnard.edu/bcit.



Close
Close


Annual Conference
September 29–October 2
Register Now!

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

Digital Badges
Member recognition effort
Earn yours >

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.