U-M Windows Forest: Guidelines for Release of Security Log Information

Objective

Protect the privacy of individuals whose personal information may be captured in security logs in accordance with laws, regulations and university policies while supporting the normal operation, administration and troubleshooting of systems and networks.

Applicability

These guidelines apply to security logs, such as Kerberos and Windows logs, which capture security information associated with users of university information services. Users (whose private personal information is captured) may include faculty, staff, students, alumni and other individuals who access university information services. The guidelines specifically address requests from unit system administrators to access security log information associated with computers that are under their purview for troubleshooting purposes. Requests to access log information associated with a specific individual are also addressed.

General Guidelines

  • Efforts should be made to promptly respond to requests from unit system administrators to access security log information associated with their units.
  • To the extent feasible, responses to requests to release log information containing personally identifiable information (PII) should be segregated such that they contain minimal information necessary to address the request.
  • Here's where to send your request:
    • Send your request to the IT User Advocate (security@umich.edu) for further evaluation if:
      • the request specifies uniqnames (in any field) or workstations that fall outside of your unit's purview
        or
      • the request involves unusually sensitive data
    • Send your request to the ITS Service Center (4help@umich.edu) if:
      1. you are troubleshooting a time-sensitive issue
        and
      2. the uniqname(s) and/or workstation(s) fall within your unit's purview.

      The Windows/AD support team will notify the User Advocate's office that the request has been made, but in most cases they will not wait for UA approval to provide the requested information.
    • If in doubt, send your request to both the ITS Service Center and IT User Advocate.
  • PII gathered in log activities should only be released for legitimate business needs as outlined in Privacy and the Need to Monitor and Access Records (SPG 601.11).
  • In general, log information containing PII for individuals accessing the resources of a given unit should not be shared with other units except as authorized in cases involving investigations or possible violations of laws or university policies.
  • Exceptions to these guidelines can be arranged on a case by case basis between unit security administrators, ITS system administrators, and the IT User Advocate, with the approval of the IT User Advocate. For example, when testing of new features may create repeated need to access security log information, arrangements can be made to provide the log information without going through the IT User Advocate.
  • Log information should be retained as long as required by applicable laws and regulations but not longer.

Responsibilities

ITS System Administrator (Controlling the Security Log)

  • Protect the confidentiality, integrity and availability of the logs under the administrator's control and maintain awareness of relevant policies and regulations.
  • Determine which logs may contain PPI and maintain awareness of types of logs and the scope of the information that they contain.
  • If requested to provide security log information to a unit system administrator:
    • If the request does not contain a uniqname, and the administrator is confident that the requested log information does not contain a uniqname (in any field), provide the log information to the requestor.
    • If it is feasible to extract and provide the requestor with only the information associated with the requesting unit, provide the selected log information to the requestor.
    • If it is feasible to satisfy the request with an anonymized log, provide the anonymized information to the requestor.
    • In all other cases, including cases where the request is made by an individual other than a unit system administrator, forward the request to the IT User Advocate for further evaluation.
  • Maintain tracking documentation for requests.
  • If requested, assist the IT User Advocate in segregating the log information to extract only requested information.

Unit System Administrator (Requesting Access to Security Log)

  • When requesting log information for troubleshooting purposes (from the ITS system administrator), identify the scope of information being requested and the reason for the request.
  • When requesting access to log information about a specific individual (such as time stamp, user ID, service accessed) obtain appropriate authorization (from unit HR or as appropriate) and forward the request directly to the IT User Advocate (security@umich.edu).
  • Protect the confidentiality and integrity of log information received in response to a request and ensure this information is only used for stated business reasons.
  • If the information is used by multiple system administrators in a given unit, they all need to be identified in the request and are all subject to these guidelines.

User Advocate

  • Respond to requests from ITS system administrators or unit system administrators to release log information containing PPI:
    • Determine appropriateness of request considering university policies and applicable laws and ensure the request is authorized.
    • If the request contains specific uniqnames, determine if the individuals whose information is requested are associated with the unit of the requesting system administrator. Approve the request if there is an established relationship between the requestor's unit and the individuals whose information is requested. Otherwise, obtain further authorization to determine whether the request should be satisfied or rejected.
    • Segregate log information as appropriate and provide minimum necessary information to requestor (may involve ITS system administrator to assist in segregating log information.)
  • Maintain tracking documentation for requests.
  • Maintain awareness of applicable policies and laws.
  • Work with IT organizations across the university to document specific procedures and agreements.
  • Approve exceptions to these guidelines for pre-determined cases.

Data Steward

Ensure policies and guidelines are in place for data classification and for releasing PPI to requestors.

References

Last Updated: 
Tuesday, May 22, 2018