Routine Network Monitoring Policy

Background

UC’s Electronic Communications Policy (ECP) sets forth the University’s policy on privacy, confidentiality, and security in electronic communications and establishes the basic principle that the University does not examine or disclose electronic communications records without the holder’s consent. In recognition that network security monitoring necessarily involves examination of electronic communication records in some manner, the ECP authorizes and directs the Chancellor to establish local practices and procedures defining permissible routine network monitoring in collaboration with faculty, staff and students. Berkeley has formalized the process of evaluating and approving such practices through its Information Risk Governance Committee (IRGC). IRGC members include faculty, staff and students and come from areas across the campus to ensure the committee adequately represents the interests of diverse campus constituents. The Chancellor has delegated IRGC formal authority to establish policies and practices balancing security and privacy, including those that speak to permissible network monitoring.

Policy on Routine Network Monitoring

Monitoring of the Berkeley Campus network shall conform to the requirements of the ECP as implemented on the Berkeley Campus and be performed only by authorized UC employees or contractors in accordance with this policy, all other UC and Berkeley Campus policies, and applicable laws. Any additional network monitoring activities beyond those listed must be granted approval from IRGC. IRGC will also periodically review routine network monitoring to ensure such practices strike an appropriate balance between privacy and security. Any networking monitoring practices not approved by IRGC shall be prohibited.

Routine Network Monitoring Practices

Routine Network Monitoring

In accordance with ECP Section II.D.2 and Section V.B., the following practices represent activities performed on the Berkeley Campus network and made possible by virtue of Berkeley operating the network; these activities monitor the reliability and security of systems. Such activities may only be performed by authorized campus employees or contractors in accordance with the requirements of ECP and its implementation on the Berkeley Campus, including specified privacy risk mitigations. Routine monitoring activities shall be limited to the least perusal and subject to the shortest retention period required to ensure the reliability and security of systems. Routine network monitoring activities consist of:

  • Automated network Intrusion Detection System (IDS) with sensors that detect signs of malicious / unauthorized activity or security vulnerabilities. Human review of automated alerts is permitted for verification and tuning of the system provided that such review is limited to the least perusal necessary consistent with those two objectives. 
  • Collection of network flow logs to identify anomalies in network communications, atypical bandwidth use indicative of unauthorized activity and network traffic from known bad actors on the internet.

Scope of This Notice

This notice does not include:

  • Monitoring conducted by the UC Office of the President under the Coordinated Monitoring and Threat Response Initiative. See Current Issues below. 
  • Service-specific monitoring conducted by and on behalf of providers of electronic communication services, which providers must document and publish under ECP Section IV.C.2.b. (The bConnected transparency report is a model for how service providers communicate that information.)
  • Active vulnerability scanning where campus scanning equipment performs the same activities as would be available to any other device on the internet, including those used by bad actors.

Current Issues

As the information security threat landscape continually evolves and new technologies emerge, IRGC will continually evaluate the balance of privacy and security to define the scope of permissible monitoring. IRGC is currently working through the challenges of shared governance with the University of California Office of the President. A statement on this issue by UC Office of the President is available here:

http://www.ucop.edu/information-technology-services/initiatives/uc-information-security/coordinated-monitoring-and-threat-response.html

Questions

Questions about the Routine Network Monitoring practices?

Questions about the Electronic Communications Policy?

  • Please contact the Campus Privacy Officer, Lisa Ho.