Suggested Charter for System Administrators
This document has been prepared by Andrew Cormack, Chief Regulatory Adviser at Jisc Technologies. It is endorsed by the Universities and Colleges Information Systems Association (UCISA). Members of the UCISA Networking Group were closely consulted during the drafting process.
We hope that this charter will be useful to three groups: to users who wish to know the powers of administrators and to be assured that these will not be abused; to administrators themselves who are often concerned about the legality and implications of their actions; to managers to understand what are the reasonable requirements of the administrators' job and what activities they will be required to support.
Institutions will, of course, consult their legal advisers and make their own arrangements to comply with legislation. However, we suggest that this charter, or an equivalent statement of rights and responsibilities, should form part of the job description or job instructions of any person employed as a system or network administrator. We believe that this will go some way to compliance with the requirements for authorisation contained in the Investigatory Powers Act 2016, and for procedures to protect personal data contained in the Data Protection Act 2018.
Acceptance of the rights and privileges of authorised administrators should be a condition of use of any computer connected to a network and also of connecting any computer to the network.
A Suggested Charter for System and Network Administrators
- Introduction
- Authorisation & Authority
- Permitted Activities
- Disclosure of Information
- Intentional Modification of Data
- Unintentional Modification of Data
- References
Introduction
System and network administrators, as part of their daily work, need to perform actions which may result in the disclosure of information held by other users in their files, or sent by users over communications networks. This charter sets out the actions of this kind which authorised administrators may expect to perform on a routine basis, and the responsibilities which they bear to protect information belonging to others. Administrators also perform other activities, such as disabling machines or their network connections, that have no privacy implications; these are outside the scope of this charter and should be the subject of local working arrangements.
On occasion, administrators may need to take actions beyond those described in this charter. Some of these situations are noted in the charter itself. In all cases they must seek individual authorisation from the appropriate person in their organisation for the specific action they need to take. Such activities may well have legal implications for both the individual and the organisation, for example under the Data Protection and Human Rights Acts. Organisations should therefore ensure that they have information and procedures in place, including delegation of authority for routine requests, to ensure that such authorisation can be obtained promptly in all circumstances and is given in accordance with the law. Keeping good records, preferably against a pre-prepared checklist, will help to protect the investigator and the institution from any charge of improper actions. Organisations should consider including additional safeguards - such as secure audit logs, oversight by a colleague, or separation of duties – in their procedures.
System and network administrators must always be aware that the privileges they are granted place them in a position of considerable trust. Any breach of that trust, by misusing privileges or failing to maintain a high professional standard, not only makes their suitability for the system administration role doubtful, but is likely to be considered by their employers as gross misconduct. Administrators must always work within their organisation's information security and data protection policies, and should seek at all time to follow professional codes of behaviour such as the following:
- ACM Code of Ethics and Professional Conduct
- BCS Code of Conduct and Code of Good Practice
- Usenix System Administrator's Code of Ethics
- SANS IT Code of Ethics
- EthicsfIRST Ethics for Incident Response and Security Teams
It is increasingly common for organisations to use externally provided services. It is important for the commissioning organisation to be absolutely clear on its own role and that of the service provider with respect to the Data Protection Act and other relevant legislation. The commissioning organisation must ensure that the service provider has appropriate controls in place to regulate the activities of its system administrators, and that clear joint procedures are in place for the handling of the situations outlined in this charter.
Authorisation and Authority
System and network administrators require formal authorisation from the "owners" of any equipment they are responsible for. The law refers to "the person with a right to control the operation or the use of the system". In a university or college this right is likely to be delegated by the organisation to the Head of IT, or equivalent function. This person is therefore usually the appropriate authority to grant authorisation to network administrators working on the college network. Individual systems connected to the network may have more complicated ownership, as they may be formally the property of departments or other divisions. Authority in these cases will need to be worked out locally, but it may be easiest to delegate authority to the Head of IT either as part of the agreement by which a computer is managed centrally, or as a condition of connecting to the network. This document will use the term "Head of IT" on the assumption that authority over all systems on the network has been granted to that post: institutions may replace this be an appropriate title of group to suit local circumstances.
If any administrator is ever unsure about the authority they are working under then they should stop and seek advice immediately, as otherwise there is a risk that their actions may be in breach of the law.
Permitted Activities
The duties of system administrators can be divided into two areas.
The first duty of an administrator is to ensure that networks, systems and services are available to users and that information is processed and transferred correctly, preserving its integrity. Here the administrator is acting to protect the operation of the systems for which they are responsible. For example investigating a denial of service attack or a defaced web server is an operational activity as is the investigation of crime.
Many administrators also play a part in monitoring compliance with policies which apply to the systems. For example some organisations may prohibit the sending or viewing of particular types of material; or may restrict access to certain external sites, or ban certain services from local systems or networks. The Janet Acceptable Use Policy prohibits certain uses of the network. In all of these cases the administrator is acting in support of policies, rather than protecting the operation of the system.
The law differentiates between operational and policy actions, for example in section 45 of the Investigatory Powers Act 2016, so the administrator should be clear, before undertaking any action, whether it is required as part of their operational or policy role. The two types of activity are dealt with separately in the following sections.
Operational activities
Where necessary to ensure the proper operation of networks or computer systems for which they are responsible, authorised administrators may:
- monitor and record traffic on those networks or display it in an appropriate form;
- examine any relevant files on those computers;
- rename any relevant files on those computers or change their access permissions (see Modification of Data below);
- create relevant new files on those computers.
Where the content of a file or communication appears to have been deliberately protected by the owner, for example by encrypting it, the administrator must not attempt to make the content readable without specific authorisation from the Head of IT or the owner of the file.
The administrator must ensure that these activities do not result in the loss or destruction of information. If a change is made to user filestore then the affected user(s) must be informed of the change and the reason for it as soon as possible after the event.
Policy activities
Administrators must not act to monitor or enforce policy unless they are sure that all reasonable efforts have been made to inform users both that such monitoring will be carried out and the policies to which it will apply. If this has not been done through a general notice to all users then before a file is examined, or a network communication monitored, individual permission must be obtained from all the owner(s) of files or all the parties involved in a network communication.
Provided administrators are satisfied that either a general notice has been given or specific permission granted, they may act as follows to support or enforce policy on computers and networks for which they are responsible:
- monitor and record traffic on those networks or display it in an appropriate form;
- examine any relevant files on those computers;
- rename any relevant files on those computers or change their access permissions or ownership (see Modification of Data below);
- create relevant new files on those computers.
Where the content of a file or communication appears to have been deliberately protected by the owner, for example by encrypting it or by marking it as personal, the administrator must not examine or attempt to make the content readable without specific authorisation from the Head of IT or the owner of the file.
The administrator must ensure that these activities do not result in the loss or destruction of information. If a change is made to user filestore then the affected user(s) must be informed of the change and the reason for it as soon as possible after the event.
Disclosure of information
System and network administrators are required to respect the secrecy of files and correspondence.
During the course of their activities, administrators are likely to become aware of information which is held by, or concerns, other users. Any information obtained must be treated as confidential - it must neither be acted upon, nor disclosed to any other person unless this is required as part of a specific investigation:
- Information relating to the current investigation may be passed to managers or others involved in the investigation;
- Information that does not relate to the current investigation must only be disclosed if it is thought to indicate an operational problem, or a breach of local policy or the law, and then only to the Head of IT (or, if this is not appropriate, to a senior manager of the organisation) for them to decide whether further investigation is necessary.
Administrators must be aware of the need to protect the privacy of personal data and sensitive personal data (within the meaning of the Data Protection Act 2018) that is stored on their systems. Such data may become known to authorised administrators during the course of their investigations. Particularly where this affects sensitive personal data, any unexpected disclosure should be reported to the relevant data controller.
Intentional Modification of Data
For both operational and policy reasons, it may be necessary for administrators to make changes to user files on computers for which they are responsible. Wherever possible this should be done in such a way that the information in the files is preserved:
- rename or move files, if necessary to a secure off-line archive, rather than deleting them;
- instead of editing a file, move it to a different location and create a new file in its place;
- remove information from public view by changing permissions (and if necessary ownership).
Where possible the permission of the owner of the file should be obtained before any change is made, but there may be urgent situations, particularly when dealing with Operational issues, where this is not possible. These are reflected in the different routine permissions for Operational and Policy investigations above: for Policy issues there should be sufficient time to seek authorisation to access personal filespace, and changing file ownership may be sufficient to address the immediate issue. In every case the user must be informed as soon as possible what change has been made and the reason for it.
The administrator may not, without specific individual authorisation from the appropriate authority, modify the contents of any file in such a way as to damage or destroy information.
Unintentional Modification of Data
Administrators must be aware of the unintended changes that their activities will make to systems and files. For example, listing the contents of a directory may well change the last accessed time of the directory and all the files it contains; other activities may well generate records in logfiles. This may destroy or at best confuse evidence that may be needed later in the investigation.
Where an investigation may result in disciplinary charges or legal action, great care must be taken to limit such unintended modifications as far as possible and to account for them. In such cases a detailed record should be kept of every command typed and action taken. If a case is likely to result in legal or disciplinary action, the evidence should first be preserved using accepted forensic techniques and any investigation performed on a second copy of this evidence.
References
It is not possible to list all the legislation which applies to the work of system and network administrators. However the following Acts are particularly relevant to the activities covered by this charter.
- The Investigatory Powers Act 2016 in particular s.45 on Operational activities and s.46 on Policy ones;
- The Data Protection Act 2018 and the General Data Protection Regulation;
- The Human Rights Act 1998.
The Office of the Information Commissioner's Employment Practice Code (with quick guide) includes a section on Monitoring at Work, including use of computers and networks.
Guidelines to good forensic practice are available, for example
- Association of Chief Police Officers (ACPO) Good Practice Guide for Computer Based Evidence;
- CERT Co-ordination Center First Responders Guide to Digital Forensics (USA)
A selection of examples have been written to illustrate how the charter might be applied to particular situations.
Version 1.5
Comments
The link for CERT Co-ordination Center First Responders Guide to Computer Forensics (USA) is broken, the guide is now at http://resources.sei.cmu.edu/library/asset-view.cfm?assetID=7251
Jerry, Thanks, especially for making my life easy by looking out the correct links for me :-)
Is something needed about the system admins of managed services? I suggest adding the following:
Managed Services
It is increasingly common for organisations to use externally provided services. It is important for the commissioning organisation to be absolutely clear on its own role and that of the service provider with respect to the Data Protection Act and other relevant legislation. The commissioning organisation must ensure that the service provider has appropriate controls in place to regulate the activities of its system administrators, and that clear joint procedures are in place for the handling of the situations outlined in this charter.