network technicians acceptable use policy

[maestromasada]

chilli morning fellows,
just wondering if you got a policy in place specifically for network technicians, a sort of AUP that they can sign to acknowledge certain rules like for example:
- installing inappropriate software on the servers will take disciplinary actions.
-accessing staff e-mails/documents without their permission will take disciplinary actions.
You probably are wondering now what sort of network environment or working condition we have to wanted to do this AUP, but though I trust the technicians, I can't really be sure what they are doing at my back with the admin accounts, and because they provide support, they legitimate need to get access to certain admins areas and consoles that give them access to lots of confidential data.
I just wondering if some of you have had a similar concern

[markcuk]

that's all very good but what about yourself?

[maestromasada]

Thank you for highlight the fact. One of my roles as a network manager is to make people unhappy. After all it is my head on the tray if something goes wrong.

[SimpleSi]

You've brought up a very good point.

I (and probably most primary techs) operate on just a trust basis which would probably make enforcing disiplinary action (if we went off the reservation) quite difficult (I'm thinking access to email accounts and confidential information or perceived IT negligence)

But then again,my schools usually have policy statements that say that staff are to keep ANY information confidential so that might cover things.

Interesting

Si

[alan-d]

We all sign the same AUP as the Staff. It contains the line

Any user identified as a security risk may be denied access to the system and be subject to disciplinary action.

It is part of our job to ensure the security and confidentiallity of the network and data, the problem is not what they see but what they do with the information they come across. The misuse of information then comes into the realms of disciplinary proceedings outside the AUP.

[bossman]

@maestromasada:

Trust is a 2 way process and to gain trust you have to earn it and a piece of paper with a signature on it doesn't speak to me of trust in any way shape or form.

As alan-d has put forward all staff sign an AUP but how many of the Teaching staff break that AUP every working day and how are they penalised? (there not) so why would a special AUP for your technicians be any better than a general AUP for all staff.

Give your guys a break and learn to trust I would trust my technicians with my life.

[Hightower]

We all sign the same AUP here, but a lot of it also comes down to trust in my opinion. If you can't trust your technicians then should they really be working in a school with confidential data?

A lot of it is common sense. I would hate people going through my files willy nilly, and expect it not to happen. So what gives me the right to go through other peoples files. If somebody phones up and I need to VNC in to their machine, I always ask if it is okay to remote in as they may have confidential data on the screen. The amount of times I've been emailed a confidential document that someone can't open and needs converting - do they stress that 'its confidential'? Not here, they expect you to do a job, so you do the job, deleting any copies of the email straight after.

Like I say, have them sign the staff AUP, but trust goes a long long way in a job like ours.

[maestromasada]

Thank you for your ideas and comments, I take all of them on board. My experience sadly has showed me that you can't fully trust anybody, specially when the trusted individual is out of the environment when the amount of existing trust has already been generated. For example, I trust my car to drive on the road but I will not trusted to drive over water!

Have seen some funny things lately (contracts the admin office tells me have been modified, people knowing how much each other is earning, jobs prospects, appraisal results some other people know, and some emails 'not in bold' that I hope are not related...) Investigation reveals that this unusual leak in documents info could have only happens using our existing VPN connection (the files show a modified time well into the night when school is closed). Legitimate users insisting they haven't change their own files, logs can't go any further, what am I to think of?

Will get them to sign something just to be on the same side and, in a way, to protect them, but God help me be the one who throw the first stone.

[Hightower]

what am I to think of?

Well you're certainly not to accuse or punish anybody until you know what is going on. Get your logs sorted, and find out before going any further. Restrict access where users aren't 'trained', so if you have a hardware tech, he shouldn't necessarily be logging on to the servers should he?

Take for instance, this morning I woke up to find water on the floor and a defrosted freezer. I strongly believe that the OH left the freezer open, but I don't KNOW this so I can't do anything about it this time. I can however set up an array of video camera's and pressure pads ready to catch the silly mare the next time she does, then I will be coming down on her like a fridge/freezer full of soggy defrosted food.

[penfold]

You dont need a seperate AUP just put the 2 issues into the all staff AUP so
- installing inappropriate software on the servers will take disciplinary actions.
-accessing staff e-mails/documents without their permission will take disciplinary actions.
then becomes appllicable to all staff regardless of their position. I do feel if you start looking at creating a seperate AUP for tech staff then where do you stop? What about SMT or finance who might leave their machine with confidential information on screen so anyone wondering into their office can see it?

Just cover all things your concerned about in a ALL STAFF AUP. Their Job Description should provide information as to what they should be doing with their access.

[SimpleSi]

I think your well beyond an AUP.

If someone is doing all this, I don't think a piece of paper is going to slow them down and you don't need their signature on an AUP to dismiss them on a conduct charge.

regards

Simon

[JJonas]

If someone is using remote access at night can you not see who is doing that?

[glennda]

Its written into our contract that we will abide by the Acceptable use policy of the school which is available on request the same as with all other members of staff.

It then saves the piece of paper being lots if for any reason disciplinary is taken it is then kept with HR so they blaim is on them!

[alan-d]

Thank you for your ideas and comments, I take all of them on board. My experience sadly has showed me that you can't fully trust anybody, specially when the trusted individual is out of the environment when the amount of existing trust has already been generated. For example, I trust my car to drive on the road but I will not trusted to drive over water!

Have seen some funny things lately (contracts the admin office tells me have been modified, people knowing how much each other is earning, jobs prospects, appraisal results some other people know, and some emails 'not in bold' that I hope are not related...) Investigation reveals that this unusual leak in documents info could have only happens using our existing VPN connection (the files show a modified time well into the night when school is closed). Legitimate users insisting they haven't change their own files, logs can't go any further, what am I to think of?

Will get them to sign something just to be on the same side and, in a way, to protect them, but God help me be the one who throw the first stone.

From what you say above I think you should look seriously at changing passwords and go over who has access to what and why. It may not be a technician, it could be another member of staff or even an outsider who has somehow got hold of account details that give them access.
Access via VPN should still be traceable if not by you then by your ISP (I assume it's the LEA).

I think your first priority is to look at the security of your network before you accuse anyone of anything.

[witch]

I sign the same AUP as the staff with a few modifications about accessing people's data when necessary etc.
Sounds like you have a bit of a bigger problem than that though. I agree that changing the passwords is a good idea as it will stop any outsider (possibly from the past) and may also act as a heads-up to anyone doing something they shouldn't be doing