SUGGESTED CHARTER FOR SYSTEM ADMINISTRATORS

Introduction | JANET Policies | Laws on Networking | Regulated Activities | Other Documents

SUGGESTED CHARTER FOR SYSTEM ADMINISTRATORS

This document has been prepared by Andrew Cormack, Chief Regulatory Adviser at JANET(UK). It is endorsed by the Universities and Colleges Information Systems Association (UCISA). Members of the UCISA Networking Group were closely consulted during the drafting process.

We hope that this charter will be useful to three groups: to users who wish to know the powers of administrators and to be assured that these will not be abused; to administrators themselves who are often concerned about the legality and implications of their actions; to managers to understand what are the reasonable requirements of the administrators' job and what activities they will be required to support.

Institutions will, of course, consult their legal advisers and make their own arrangements to comply with legislation. However, we suggest that this charter, or an equivalent statement of rights and responsibilities, should form part of the job description or job instructions of any person employed as a system or network administrator. We believe that this will go some way to compliance with the requirements for authorisation contained in the Regulation of Investigatory Powers Act 2000, and for procedures to protect personal data contained in the Data Protection Act 1998.

Acceptance of the rights and privileges of authorised administrators should be a condition of use of any computer connected to a network and also of connecting any computer to the network.

A Suggested Charter for System and Network Administrators

Introduction
Authorisation & Authority
Permitted Activities
Disclosure of Information
Intentional Modification of Data
Unintentional Modification of Data
References

Introduction

System and network administrators, as part of their daily work, need to perform actions which may result in the disclosure of information held by other users in their files, or sent by users over communications networks. This charter sets out the actions of this kind which authorised administrators may expect to perform on a routine basis, and the responsibilities which they bear to protect information belonging to others. Administrators also perform other activities, such as disabling machines or their network connections, that have no privacy implications; these are outside the scope of this charter and should be the subject of local working arrangements.

On occasion, administrators may need to take actions beyond those described in this charter. Some of these situations are noted in the charter itself. In all cases they must seek individual authorisation from the appropriate person in their organisation for the specific action they need to take. Such activities may well have legal implications for both the individual and the organisation, for example under the Data Protection and Human Rights Acts. Organisations should therefore ensure that they have information and procedures in place, including delegation of authority for routine requests, to ensure that such authorisation can be obtained promptly in all circumstances and is given in accordance with the law. Keeping good records, preferably against a pre-prepared checklist, will help to protect the investigator and the institution from any charge of improper actions.

System and network administrators must always be aware that the privileges they are granted place them in a position of considerable trust. Any breach of that trust, by misusing privileges or failing to maintain a high professional standard, not only makes their suitability for the system administration role doubtful, but is likely to be considered by their employers as gross misconduct. Administrators must always work within their organisation's information security and data protection policies, and should seek at all time to follow professional codes of behaviour such as the following:

Authorisation and Authority

System and network administrators require formal authorisation from the "owners" of any equipment they are responsible for. The law refers to "the person with a right to control the operation or the use of the system". In a university or college this right is likely to be delegated by the organisation to the Head of IT, or equivalent function. This person is therefore usually the appropriate authority to grant authorisation to network administrators working on the college network. Individual systems connected to the network may have more complicated ownership, as they may be formally the property of departments or other divisions. Authority in these cases will need to be worked out locally, but it may be easiest to delegate authority to the Head of IT either as part of the agreement by which a computer is managed centrally, or as a condition of connecting to the network. This document will use the term "Head of IT" on the assumption that authority over all systems on the network has been granted to that post: institutions may replace this be an appropriate title of group to suit local circumstances.

If any administrator is ever unsure about the authority they are working under then they should stop and seek advice immediately, as otherwise there is a risk that their actions may be in breach of the law.

The duties of system administrators can be divided into two areas.

The first duty of an administrator is to ensure that networks, systems and services are available to users and that information is processed and transferred correctly, preserving its integrity. Here the administrator is acting to protect the operation of the systems for which they are responsible. For example investigating a denial of service attack or a defaced web server is an operational activity as is the investigation of crime.

Many administrators also play a part in monitoring compliance with policies which apply to the systems. For example some organisations may prohibit the sending or viewing of particular types of material; or may restrict access to certain external sites, or ban certain services from local systems or networks. The JANET Acceptable Use Policy prohibits certain uses of the network. In all of these cases the administrator is acting in support of policies, rather than protecting the operation of the system.

The law differentiates between operational and policy actions, for example in section 3(3) of the Regulation of Investigatory Powers Act 2000, so the administrator should be clear, before undertaking any action, whether it is required as part of their operational or policy role. The two types of activity are dealt with separately in the following sections.

Operational activities

Where necessary to ensure the proper operation of networks or computer systems for which they are responsible, authorised administrators may:

monitor and record traffic on those networks or display it in an appropriate form;
examine any relevant files on those computers;
rename any relevant files on those computers or change their access permissions (see Modification of Data below);
create relevant new files on those computers.

Where the content of a file or communication appears to have been deliberately protected by the owner, for example by encrypting it, the administrator must not attempt to make the content readable without specific authorisation from the Head of IT or the owner of the file.

The administrator must ensure that these activities do not result in the loss or destruction of information. If a change is made to user filestore then the affected user(s) must be informed of the change and the reason for it as soon as possible after the event.

Policy activities

Administrators must not act to monitor or enforce policy unless they are sure that all reasonable efforts have been made to inform users both that such monitoring will be carried out and the policies to which it will apply. If this has not been done through a general notice to all users then before a file is examined, or a network communication monitored, individual permission must be obtained from all the owner(s) of files or all the parties involved in a network communication.

Provided administrators are satisfied that either a general notice has been given or specific permission granted, they may act as follows to support or enforce policy on computers and networks for which they are responsible:

monitor and record traffic on those networks or display it in an appropriate form;
examine any relevant files on those computers;
rename any relevant files on those computers or change their access permissions or ownership (see Modification of Data below);
create relevant new files on those computers.

Where the content of a file or communication appears to have been deliberately protected by the owner, for example by encrypting it or by marking it as personal, the administrator must not examine or attempt to make the content readable without specific authorisation from the Head of IT or the owner of the file.

Disclosure of information

System and network administrators are required to respect the secrecy of files and correspondence.

During the course of their activities, administrators are likely to become aware of information which is held by, or concerns, other users. Any information obtained must be treated as confidential - it must neither be acted upon, nor disclosed to any other person unless this is required as part of a specific investigation:

Information relating to the current investigation may be passed to managers or others involved in the investigation;
Information that does not relate to the current investigation must only be disclosed if it is thought to indicate an operational problem, or a breach of local policy or the law, and then only to the Head of IT (or, if this is not appropriate, to a senior manager of the organisation) for them to decide whether further investigation is necessary.

Administrators must be aware of the need to protect the privacy of personal data and sensitive personal data (within the meaning of the Data Protection Act 1998) that is stored on their systems. Such data may become known to authorised administrators during the course of their investigations. Particularly where this affects sensitive personal data, any unexpected disclosure should be reported to the relevant data controller.

Intentional Modification of Data

For both operational and policy reasons, it may be necessary for administrators to make changes to user files on computers for which they are responsible. Wherever possible this should be done in such a way that the information in the files is preserved:

rename or move files, if necessary to a secure off-line archive, rather than deleting them;
instead of editing a file, move it to a different location and create a new file in its place;
remove information from public view by changing permissions (and if necessary ownership).

Where possible the permission of the owner of the file should be obtained before any change is made, but there may be urgent situations where this is not possible. In every case the user must be informed as soon as possible what change has been made and the reason for it.

The administrator may not, without specific individual authorisation from the appropriate authority, modify the contents of any file in such a way as to damage or destroy information.

Unintentional Modification of Data

Administrators must be aware of the unintended changes that their activities will make to systems and files. For example, listing the contents of a directory may well change the last accessed time of the directory and all the files it contains; other activities may well generate records in logfiles. This may destroy or at best confuse evidence that may be needed later in the investigation.

Where an investigation may result in disciplinary charges or legal action, great care must be taken to limit such unintended modifications as far as possible and to account for them. In such cases a detailed record should be kept of every command typed and action taken. If a case is likely to result in legal or disciplinary action, the evidence should first be preserved using accepted forensic techniques and any investigation performed on a second copy of this evidence.

References

It is not possible to list all the legislation which applies to the work of system and network administrators. However the following Acts are particularly relevant to the activities covered by this charter.

The Regulation of Investigatory Powers Act 2000 and the secondary Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000;
The Data Protection Act 1998;
The Human Rights Act 1998.

The Office of the Information Commissioner's Employment Practice Code (with quick guide and supplementary guidance) includes a section on Monitoring at Work, including use of computers and networks.

Guidelines to good forensic practice are available, for example

Association of Chief Police Officers (ACPO) Good Practice Guide for Computer Based Evidence;
JISCLegal technical investigation process;
CERT Co-ordination Center First Responders Guide to Computer Forensics (USA)

A selection of examples have been written to illustrate how the charter might be applied to particular situations.

Version 1.3