Information Security Monitoring and Privacy Disclosure
The Office of Information Technology (OIT) is charged with operating the campus network (UCInet) and maintaining its security. The integrity of UCInet requires that the security of every computing system or device connected to the network be established and maintained.
The University does not examine or disclose electronic communications records without the holder’s consent, except under very limited circumstances described in the ECP. However, University employees who operate and support electronic communications resources, such as the OIT Information Security Team, regularly monitor transmissions for the purpose of ensuring reliability and security of University electronic communications resources and services. Except as provided by law or UC policy, the OIT Information Security Team are not permitted to seek out transactional information or contents when not germane to system operations and support, or to disclose or otherwise use what it has observed.
This document is an explanation of those practices and the limitations to systems monitoring to ensure privacy, confidentiality, and security in electronic communications. It refers to UCInet and does not include additional practices and requirements on ResNet, the UC Irvine Health network, or other segmented networks.
- UC Statement of Privacy Values and Privacy Principles
Intrusion Detection and Prevention
The OIT Information Security team uses a combination of automated technology and manual review to identify systems that are attacking campus information resources, may be infected with malware, or fail to meet the minimum security requirements. The automated systems use a combination of pre-determined signatures and traffic analysis. These systems may capture and store a relevant portion of electronic communications for systems or user accounts potentially being used to threaten the campus network. Security staff may manually review these stored captures, in accordance with privacy policies and law, to validate the findings or tune the automated systems.
The information may include: source and destination IP addresses, source and destination ports, URLs, and user names. Stored network traffic is usually 1-2kb of data.Attachment Analysis
Certain attachments on inbound email will meet criteria for additional scrutiny. Email originating from on campus is not processed.
Attachments identified for analysis are sent via an encrypted connection to a cloud-based, highly secure, automated analysis service. Following analysis, the copied attachment is destroyed.
Attachments found to carry malware are used to update the list of threat signatures recognized by the intrusion detection and prevention system. Forensic information for the purposes of tracking or mitigating damage may be stored.Threat Detection and Identification
The University of California has deployed a common Threat Detection and Identification (TDI) system for the purposes of coordinated analysis and response to systematic, professional cybersecurity attacks. The OIT Information Security team will also use this tool to augment existing intrusion and breach detection technologies.
UCOP has published information on the current and upcoming TDI systems, including what kind of data is monitored, how, and by whom it is analyzed, at https://security.ucop.edu/resources/threat-detection-and-identification/index.htmlAnti-spamming
The OIT Information Security team uses a combination of automated technology and manual review to identify systems or accounts that may be sending out bulk unsolicited email ("spam"). Because spam comes from unauthorized access to UCI email accounts, the OIT Security Team may take extra steps to review access or transaction logs to identify and contact users who may have had their passwords stolen or their accounts compromised.
The contents of emails are not reviewed or accessed without consent in the course of normal monitoring and review.
The information may include: source and destination IP addresses, source and destination ports, user names, and email addresses.Blocking
Users or systems that threaten the UCI network or UCI electronic resources may have network access revoked until the issue is resolved. Blocked computers will usually be redirected to a page with additional information. Blocked user accounts may deny access without additional information. OIT Security Staff will make best efforts to directly contact the account or system owner by email, but this is not always possible. If a system or account owner cannot be identified, OIT Security Staff will make best efforts to contact appropriate OIT or departmental computer support staff.
The OIT Information Security Team stores and utilizes a variety of logs. These logs may be reviewed by automated systems with pre-determined "red flag" algorithms or manually reviewed, as allowed by policy and law, to verify incident reports.
Connection logs are created and stored for all network traffic to and from UCInet and the internet and from UCInet and ResNet. Connection logs (Netflow) are created and stored for devices sending electronic communication within UCInet.
The information may include: source and destination IP addresses, source and destination ports, packet counts, and byte counts.
Authentication logs are created and stored for access to campus resources, such as WebAuth, email, VPN, etc. Campus system owners may also create and store their own logs.
The information may include: source and destination IP addresses, URLs, and user names.Bandwidth Monitoring
UCInet has no traffic cap or bandwidth limit for academic use. In some cases traffic is monitored for changes in bandwidth usage that could point to unusual activity and potential security compromise.
To ensure quality network access for all users and to prevent abuse of campus network resources, excessive bandwidth usage for non-academic traffic that impacts academic use may be asked to stop.
The information may include: source and destination IP addresses, source and destination ports, and bandwidth usage quantity.
If you will be utilizing high bandwidth, especially if you are concerned it may be mis-identified as personal traffic, please email firstname.lastname@example.org. This is not a requirement but it helps the security and network engineers tune the campus network and security practices.Privacy
The University recognizes that principles of academic freedom and shared governance, freedom of speech, and privacy hold important implications for the use of electronic communications.
University employees who operate and support electronic communications resources regularly monitor transmissions for the purpose of ensuring reliability and security of University electronic communications resources and services, and in that process might observe certain transactional information or the contents of electronic communications. Except as provided in policy or by law, they are not permitted to seek out transactional information or contents when not germane to system operations and support, or to disclose or otherwise use what they have observed.
In the process of such monitoring, any unavoidable examination of electronic communications (including transactional information) shall be limited to the least invasive degree of inspection required to perform such duties. This exception does not exempt systems personnel from the prohibition against disclosure of personal or confidential information.
Network traffic may be inspected to confirm malicious or unauthorized activity that may harm the campus network or devices connected to the network. Such activity shall be limited to the least perusal of contents required to resolve the situation. User consent is not required for these routine monitoring practices.
Except as provided above, systems personnel shall not intentionally search the contents of electronic communications or transactional information for violations of law or policy. However, if in the course of their duties systems personnel inadvertently discover or suspect improper governmental activity (including violations of law or University policy), reporting of such violations shall be consistent with the Policy on Reporting and Investigating Allegations of Suspected Improper Governmental Activities (the "Whistleblower Policy").