The University supports a climate of trust and respect and does not
routinely monitor faculty, staff, or student use of its computing and
network resources. The University does not condone censorship. It does
not condone the inspection of information systems files and usage records
except in specific circumstances.
Information systems files and usage records may be reviewed and/or documented
for purposes related to security management, system maintenance, system
troubleshooting, or license compliance. Some review and documentation
functions are executed by automatic utilities; others are performed
by technical support staff (both in the Department of Information Resources
and in other university departments). Supervisors, managers, chairs,
and others may access electronic information maintained by their staff
and faculty as needed for business purposes. This kind of access is
"routine access."
The University is a public institution and all University information
may be accessed when considered necessary and legally appropriate. The
Executive Vice Chancellor (EVC) or the EVC's designates may authorize
inspection of information systems files in a number of circumstances
including, but not limited to:
Access under these circumstances is "non-routine access."
In all circumstances, University employees (technicians, technical managers, etc.) with access to electronic information other than that which they have created or accumulated (including electronic mail files, data files, files revealing patterns of communication and access, and other related information) bear a special responsibility to respect the confidentiality of that information. They shall never access electronic information of any kind except as specifically authorized by this policy and they shall never share information acquired in the course of authorized access except as clearly warranted by the circumstances precipitating the access (university employees are obligated to report clear evidence of illegal activity if and when they encounter it). Anyone who compromises this special responsibility is subject to the University's disciplinary action process including dismissal.
"Information systems files:" Any information stored in any electronic
format on any University system including, but not limited to, servers,
desktop computers, portable computers, document management systems,
telephone switch and associated devices, and handheld devices ("PDAs").
Examples of such files include word processing documents, electronic
mail, PeopleSoft administrative system files, graphics files, web files,
and voicemail.
"Information systems usage records:" network device activity logs, server
logs, etc.
"Executive Vice Chancellor's designates:" the Vice Chancellor for Administration,
the Associate Vice Chancellor for Information Resources, the Director
of Human Resources, or others designated by the Executive Vice Chancellor
This policy applies to everyone at all campuses and sites of the University of Kansas Medical Center. There are no exemptions.
Anyone who believes that non-routine access to information systems files or usage records is necessary should consult directly and immediately with the Executive Vice Chancellor, the Vice Chancellor for Administration, the Associate Vice Chancellor for Information Resources, or the Director of Human Resources.
a. Virus scanning of electronic mail
All incoming and outgoing electronic mail is scanned for viruses. When
a virus is discovered the email message is automatically cleaned and
delivered. If the message cannot be cleaned it is quarantined and the
sender is automatically notified. A Technical Project Leader may access
email files to investigate the source of a virus, to restore corrupted
mailboxes, to recover lost messages, or to perform additional troubleshooting
or maintenance tasks. Only authorized Technical Project Leaders and
the Associate Director for Telecommunications and Networking have administrative
access to the email gateways.
The virus scanning does not reveal the contents of electronic messages;
however, messages may be examined in the course of investigating a virus
attack.
b. Internet traffic patterns
The Security Administrator and authorized Wide Area Network specialists
use utilities that identify patterns of Internet traffic that may pose
threats to KUMC (and other) information systems. The S.A. scans logs
generated by these utilities to differentiate genuine intrusion attempts
from false alarms and alerts the stewards of target computers as necessary.
This routine scanning does not reveal the contents of Internet traffic.
It is possible (although painstaking), to use the logs to establish
patterns of Internet use by individuals. Those with access to the logs
are expressly forbidden to do so except as authorized per this policy.
c. Website use patterns
Internet Development, in its website management role, collects aggregate
data (e.g., how many page views a certain file receives within a certain
time frame) about the use of various resources on KU Medical Center
web servers. ID collects no data related to individual use.
d. Software license compliance on desktop computers
The University and its departments provide many commercial software
products for use by employees and students. Unauthorized duplication
or use of software violates copyright law and exposes the individuals
involved and the University to civil and criminal liability.
Authorized technicians use software utilities to check desktop computers
for installed copies of a core set of programs. The Associate Director
for Telecommunications and Networking provides inventories to each department.
The department reconciles installed programs with numbers of licenses
to ensure copyright compliance. A Network Specialist/Technical Project
Leader also may access inventories for troubleshooting purposes. Only
authorized Technical Project Leaders and the Associate Director for
Telecommunications and Networking have administrative access to the
inventories.
The software utilities do not access or record information about data
files.
e. Modems
Desktop modems enable staff members to telecommute or to access remote
resources. However, when attached to a networked computer, modems also
present a security risk. Modems may be used as a "back door" to gain
access to other systems on the network.
Periodically, the Department of Information Resources scans the network
for modems and works with employees to assure that appropriate security
procedures are in place.
Only the Associate Director for Telecommunications and Networking, the
Director of Telecommunications and Networking, and the Security Administrator
have administrative access to modem scan records.
The modem scans collect no information except the existence and location
of modems.
f. Long distance calling logs
All long distance calls are logged by the telephone switch as to the
date, time, originating phone number, and number called. These logs
are regularly provided to department managers.
The logs contain information about numbers called but not about the
content of the conversations.
For information on this
policy, please contact:
Jim Bingham
Associate Vice Chancellor for Information Resources
Chief Information Officer
University of Kansas Medical Center
2100 West 39th
Kansas City, Kansas 66160
(913) 588-7300
©
The University of Kansas Medical Center