DUKE ITAC - July 1, 1999 Minutes
July 1, 1999
Attending: Ed Anapol, Pakis Bessias, John Board, Dick Danner, David Ferriero, David Jamieson-Drake, Betty Leydon, Roger Loyd, Melissa Mills, Caroline Nisbet, John Oates, George Oberlander, Lynne O'Brien, Rafael Rodriguez, John Sigmon, Matt Brown (for Clark Smith), Robert Wolpert, and Alfred Trozzo (for Paul Harrod)
Guests: Sue Wasiolek, Kacie Wallace, Bob Currier, Chris Cramer, and Charles Register
Before the official start of the meeting, Betty Leydon thanked John Sigmon for his work with ITAC and for serving as chair while Robert Wolpert was on sabbatical. She welcomed Robert Wolpert back as chair of the committee.
Review of Minutes and Announcements:
- The minutes of the June 3, 1999 meeting were approved without revision.
- Rafael Rodriguez announced that ACPUB disk space will be expanded this fall. Allocations for individuals for email will go from 10MB to 30MB. Allocation for private space will go from 10MB to 17MB. Individuals who need more space for course work or special projects can request additional disk space.
- OIT is still negotiating with GTE regarding ASDL rates and contract length.
- SAP went " live" at Durham Hospital and seems to be working well.
- Duke University Health Systems also went "live" with a time and attendance system,implemented by the API team.
- When the SAP payroll module goes live in July, 2000, it will be interfaced to the API system.
IT security policy discussion
- What is the purpose of a security policy?
- What policies are already in existence?
- What is legal?
- What do we need to do from here?
- Anything in violation of federal or state law is also a violation of Duke rules.
- Students must be given fair warning before administrators take action against them.
- protect system security
- indemnify the university
- educate users
- protect privacy and academic freedom
- Kate Hendrix was invited to this meeting but unable to attend.
John Sigmon framed the discussion around four questions:
Betty Leydon pointed out that there is an inherent tension between protecting the university versus providing reasonable access to information.
Various questions and possible scenarios were raised throughout the discussion. For example, would it be appropriate for a student to run a business using a Duke IP address? If not, what is the obligation to intercede? - to warn in advance? What options are available for interceding.
Duke has a policy "Computing and Electronic Communications at Duke University" that can be used in some circumstances.
Dick Danner asked what ITAC's authority is to set policy in this area. The Law School has a policy somewhat at odds with the existing OIT statement. It would be important for the Academic Council to review and approve any ITAC proposed policy.
John Board stated that ITAC does not have authority to create policy. ITAC advises the Provost who can use a policy as a guideline for schools to follow. The Provost and Human Resources would need to decide when a policy applied to the full university.
Student affairs has two general principles they use:
If Duke police are involved in searching a room, they must have a regular magistrate's search warrant. A university student affairs office administrator may enter a room without a magistrate's warrant, but they must have a university administrative search warrant (example - if concerned about a student's safety or looking for stolen property, such as lounge furniture). Anything found probably could not be used in a court of law, but the university can use it in university judicial proceedings. The Duke Bulletin outlines this policy.
John Board if a student were suspected of having files that disrupted the department's network or that indicated cheating, would he be able to put a freeze on that student's computer?
So far, in cases like this, student affairs staff would probably talk with Charlie Register for advice and would probably get a university warrant.
Melissa Mills reminded the group that this spring there were severe security problems that brought the university nearly to a standstill; it wasn't just a minor inconvenience.
John Sigmon asked what sanctions could be included as part of a security policy.
The university alcohol policy is the only one that has a specific and absolute sanction. All other violations are handled on a case by case basis. Students sign a contract for use of the residence halls, so there are contractual agreements apart from judicial policies. A standing committee appointed by the VP for Student Affairs meets periodically to set and refine judicial policies. Often violations can be mediated without official sanctions. Faculty and staff are not within the authority of student affairs or its judicial process.
John Oates reminded the group that the Academic Council does not have authority to set policy; they are an advisory board. The Library has policies governing use of books. OIT has policies about payment of phone bills. There is a bridge painting policy, a bench burning policy. Different groups create and enforce these policies. Charlie Register has recently updated a policy statement about computing that will go in the student handbook for the coming fall semester.
David Jamieson-Drake pointed out that guidelines serve an educational purpose. They are probably more like an honor code than a policy with official sanctions and judicial actions. Denial of service attacks could probably be handled within the current rules about harming others. Similarly, rules already exist about whether people can run businesses within a non-profit organization.
Several people asked to reframe the purpose of the discussion. Several possible goals for developing a policy were mentioned: protecting the university from liability; protecting the security of the network.
Robert Wolpert reminded the group that there is a need to protect academic freedom, and the tradition in the University is to err on the side of protecting individuals' freedom and privacy.
Melissa Mills suggested we focus mostly on system security issues. For example, can a system administrator deny access to an individual whose computer seems to be disrupting the network?
Dick Danner pointed out that we cannot separate security from the privacy and academic freedom issues. We can't write law, but we can set policies and guidelines. If we focus on guidelines, a list of do's and don'ts, we may be able to accomplish more.
Charlie Register stated that he needs a document for public education, a policy that can help us compare our level of risk and our preparedness for handling security threats to recommended guidelines and some suggestions for how to handle real life problems.
Robert Wolpert summarized the discussion so far by saying there are four possible goals for a policy or guidelines:
The most pressing issue seems to be establishing guidelines.
Charlie Register has provided a set of clearer guidelines for the student handbook.
Dick Danner pointed out that rules and regulations are more enforceable than guidelines. The Honor Code is not binding unless a person agrees to abide by it.
Charlie Register would like to see new users sign some kind of agreement with they get an account.
The ITAC steering committee will collect people's suggestions and provide a summary to consider at the next meeting.