re: Systems staff policy guidelines

btk@matrix.cray.com (Bryan Koch) Tue, 10 April 1990 19:05 UTC

Received: from timbuk.cray.com by cert.sei.cmu.edu (5.61/2.2) id AA17639; Tue, 10 Apr 90 15:05:58 -0400
Received: from matrix.cray.com by timbuk.CRAY.COM (4.1/CRI-1.34) id AA01829; Tue, 10 Apr 90 14:06:34 CDT
Received: by matrix.cray.com id AA11099; 4.0/CRI-3.12; Tue, 10 Apr 90 14:05:54 CDT
Date: Tue, 10 Apr 1990 14:05:54 -0500
From: btk@matrix.cray.com
Message-Id: <9004101905.AA11099@matrix.cray.com>
To: ssphwg@cert.sei.cmu.edu
Subject: re: Systems staff policy guidelines

We have a document titled "Policies and Procedures for Computer and 
Network Security", created about a year ago and distributed (after an
extensive set of internal reviews) to all users of our corporate 
networks.  There was a debate about whether or not to require 
employee sign-off on the new policies.  Our legal staff said that
new policies are created all the time; sign-off wasn't needed if we
could prove that we had effectively communicated the policies.  (That's
the usual reason for requiring signatures.)  

Our policies document is general, describing objectives and values rather
than being very specific.  There is a section on Administration and Security
that deals with the responsibilities of administrators and the limits to
their powers.  It begins:

	In the course of system operations, when problems occur,  and  to
	ensure  system integrity, system administrators and security per-
	sonnel may examine the state and  the  contents  of  user  files,
	directories,  and other aspects of user accounts.  These adminis-
	trative activities, and  any  others  performed  while  exploring
	security  or system integrity threats are exempt from the privacy
	policy described above.  Administrators  will  not  examine  user
	data except as it relates to these administrative activities.