IT Forum held to outline updates in new security policies

By Brendan Deady

(Katherine Mayo/Daily Collegian)

Matthew Dalton, University of Massachusetts’ chief information security officer, likened UMass’ Information Technology policies to a driver’s manual –  the policies apply to everyone but only those directly involved in the business of the road, like “commercial truck drivers,” tend to take notice of the specifics.

Dalton led an open forum in room 174-176 of the Campus Center Thursday afternoon to explain changes in the University’s acceptable use and confidentiality policies to a room of approximately 20 attendees. The academic “truck drivers” present were representatives from various academic and research departments to whom the specifics of the policies are like new rules of the digital road.

The policies, which were restructured at the end of the fall semester, apply to all individuals who access the University’s Internet services or any equipment attached to its network.

The updated confidentiality of institutional information and research data policy outlined specific roles and responsibilities for individuals who have access to sensitive research materials or data compiled by or through the University. The policy distinguishes between stewards and custodians of data.

A steward is an individual that acts as a liaison to the chancellor of a department that oversees whatever data passes through their area. Stewards are meant to oversee that all privacy, security and regulatory compliance regarding data is followed by custodians. Stewards also have the power to authorize who has access to their specific area as well as the scope of access for whatever custodians fall under their supervision.

Custodians, in this sense, are any individual, whether it be a clerical worker, volunteer or student receptionist that has access to data at their respective department. Although the policy outlines roles for stewards and requires custodians to undergo training, none of the steward positions have been filled according to Dalton.

Beyond assigning specific responsibilities for individuals with access to university data, the “upgraded” confidentiality policy also underwent a general restructuring of its language, according to Dalton.

“The previous policy read like a list of commandments and was full of thou shall not’s,” Dalton said.

He also clarified that the updates to IT’s security policies have no relation to the increase in IT fees for student tuition or complications with the University’s Wi-Fi network that have been persistent since the system received an upgrade in spring of 2015.

The new acceptable use of information technology and resources policy, instead of listing the negatives to avoid, provides a sweeping standard of conduct to prevent “administrative voyeurism,” according to Dalton. This applies to the practice where an individual in a certain department who has access to the broader network uses their access to look through records or data that aren’t directly applicable to their position.

Dalton said that there hasn’t been a history of voyeurism at UMass that he’s been aware of but the practice of digital snooping is common among large networks with multiple points of access. Dalton said, in general, that the update of the IT use and confidentiality policies are not in direct response to any security threats.

“With the rate of evolution of technology, you need the policies and the language of those policies to evolve alongside,” Dalton said.

The new acceptable use terms do indicate that the policy applies to any user of UMass information technology, and that all users are now obligated to act as safeguards of resources and must report any violations they witness to IT services.

The initiatives also grant Julie Buehler, vice chancellor for Information Services & Strategy & CIO, the right to authorize the limitation or restriction of use of the University’s information resources “for the good of community” and to “protect the integrity of these resources.”

Her authority extends “to the right to examine material stored on or transmitted through its resources if there is cause to believe that the standards for acceptable use are being violated.”

Dalton said the updates in the policies, approved by Chancellor Kumble Subbaswamy in September, were only grafted after consideration of student and faculty voices. He said that the purpose of public forums is to get the word out to the UMass community about the changes, but acknowledged that it is difficult to hold students attention on the matter despite its considerable importance.

Eric Gendreau, the secretary of technology for the Student Government Association, said in an email that he contacted the IT policy requesting that the changes and implications be highlighted to students in a way that easily explain what effects the changes will have.

Dalton said that the updates in the acceptable use policy make no monumental changes to the structure of the University’s network but primarily legitimized the fact that all codes of conduct that govern student behavior in the physical realm now apply to the digital.


Brendan Deady can be reached at [email protected] and followed on Twitter @bdeady26.