Reviewed 1/18/07

I. PURPOSE
To outline responsibilities, guidelines, and standards of conduct for all individuals who function as network or system administrators for the University of Miami.

II. DEFINITIONS
Administrative Unit: Any school, department, division, office, or person that provides or facilitates computing and/or telecommunications/network services to the members of the University of Miami community.

Central Database: The official administrative record keeping repository for university information. All official personal, biographic,and demographic data are stored here.  The actual database technology used to store this data is known as PIDMS.  The web-based application
EASY is used by university users to maintain the accuracy of this information.

Email Administrator:  An individual who performs network/system administration duties, technical support, and/or electronic mail application administration of network/systems that are accessed by other people (for their primary email account), systems, or services for the purpose of sending and receiving electronic communications.  This includes email alias systems.

Email Alias:  A virtual electronic mail address that does not identify an actual mailbox but an email alias system that is used to forward/redirect mail to a physical email address or another alias address.

Email Alias Systems: Systems on which email alias forwarding services are offered.

Information Technology (“IT”): The Department of Information Technology and/or its designee.  IT is the unit which provides needed tools, training and information to Network/System Administrators.

Network and/or Systems Administrator: An individual who performs network/system administration duties and/or technical support of network/systems that are accessed by other people, systems, or services.  Only full-time and permanent part-time employees of the University and/or third party vendors approved by IT may function as system/network administrators.  Webmasters shall be considered Network/System Administrators for purposes of this policy.  System/Network Administrators may employ students to assist them in systems administration only under the direct
technical supervision of a technically competent System/Network Administrator; such students are covered by this policy.

Physical Email Address:  An email address that identifies both the system on which a subscribing user has a mailbox and the mailbox/account.

Primary Email Account/Address:  Email accounts or addresses that have been registered by members of the university community in the central database as their address/account of choice for electronic mail communication within the university.

Subscribing Users:  Members of the university community that have requested and been given electronic mailboxes on a university system of choice.

III. POLICY
It is the responsibility of the network/system administrator to follow the guidelines of their administrative unit as well as all pertinent University of Miami policies, licensing agreements with
software manufacturers, and local, state and federal laws.

Network or System Administrators report to a department, school or other administrative head, and they also represent their administrative unit in keeping IT informed of all appropriate matters pertinent to their responsibilities.  Regular meetings, as determined by IT, are to be held between the unit Network/System Administrator and the appropriate designee in order to maintain close working relationships and openness in day-to-day communications.

Among their other responsibilities, the Network/Systems Administrator should use reasonable efforts to:

  * Become familiar with all applicable University of Miami IT policies.
  * Participate in required Network/Systems Administrator training and regular meetings as determined by IT.
  * Take precautions against theft of or damage to the system components and information.
  * Faithfully comply with terms of all hardware and software licensing agreements applicable to the system.
  * Treat information about, and information stored by, the system users in an appropriate manner and to take precautions protecting the security of a system or network and the security and confidentiality of the information contained therein.
  * Promulgate information about specific policies and procedures that govern access to and use of the system and services provided to the users or explicitly not provided.
  * Cooperate with the system administrators of other computer systems or networks, whether within or without the University, to find and correct problems caused on another system by the use of the system under his/her control.
  * Ensure that the administrative unit systems comply with applicable University policies, licensing agreements, software manufacturers, and local, state and federal laws.
  * Promptly inform IT, the Network/System Administrator, and the management of the affected administrative unit, of any computing incidents which clearly compromise system or network integrity, including but not limited to:
      o Notification by outside institutions or individuals of any incident.
      o Data loss or theft.
      o Inappropriate systems or information access or use
      o Any other breach or violation of IT policies of which they become aware.

  * Promptly notify IT of material changes in Network/System architecture or administration.

Network/System Administrators, when requested, are expected to cooperate fully with the IT Department in any investigation, identification, and resolution of system/network incidents.

The Network/System Administrator is not responsible for the content of files, images, video or audio clips, electronic communications, and news postings produced by others.  The Network/System Administrator is also not responsible for software installed by others.  Network/System Administrators are responsible, however, for notifying IT and their supervisors of any observed violations of University computing policies, licensing agreements with software manufacturers, or observed violations of local, state, or federal laws regarding these matters.

If the Network/Systems Administrators become aware of misuse of computing resources, they must provide notification of the incident to IT as well as the user’s supervisor, instructor, department or division chair, as appropriate.  Other steps that may be taken are to:

A. Temporarily suspend or restrict the user’s computing privileges during

    the investigation.  Reactivation is at the discretion of IT and the

    administrative unit’s senior management.


B. Remove the affected computer device, as appropriate, from the network
    and notify IT and the appropriate administrative unit management.

C. Refer the matter for possible disciplinary action to the appropriate

    University unit, including but not limited to the Department of Human

    Resources.

These steps may be taken only after authorization by the administrative unit head unless the situation represents an emergency or immediate threat to network security/integrity.  In such case, the Network/System Administrator must document the circumstances of the incident and notify the administrative unit management and IT as soon as possible.  Actions should be taken in such a way that any impact to non- offending users are minimized.

The Network/Systems Administrator shall maintain and make readily available to IT any updated documentation of any and all devices within their unit that will attach to the University’s network.
The report must include the following information:

  * Manufacturer, model and serial number.
  * Operating System and revision number.
  * IP [and/or IPX] and MAC address of all network interface cards within the system.
  * Computer’s host name(s) and primary user’s information.
  * Physical location of the equipment.
  * Network/System administrator’s name and phone numbers (office and after-hours)
  * System’s primary functions (e.g. web services, file server, mail server, personal computer, etc…)

In the course of their duties, it may be necessary for systems administrators to view files, data or communications that have been stored by other people on PCs or network file servers in addition to logs of network traffic and activity.  The viewing of such material is permitted only in the legitimate course of business when necessarily incident to the rendition of communications services, when necessary to protect the integrity of University computing facilities, the rights or property of the
University or third parties, or to ensure compliance with University policy or applicable law.  Examples include the identification/restoration of lost, damaged or deleted files; the identification of a process that is interfering with normal network functions; or in more serious circumstances, an
investigation that system security has been compromised.  In all such cases, the Network/System Administrator shall take into consideration the confidential nature of files and/or communications that may potentially be reviewed and shall implement the appropriate safeguards to ensure that all local, state and federal privacy laws are complied with.  IT and the appropriate administrative unit management must be advised of any non-routine monitoring that occurs.  In addition, in such cases where an individual’s file or communications contents are reviewed pursuant to non-routine monitoring, notice shall be given to the individual after such review has taken place.  Non-routine monitoring includes directed investigations of potential policy and/or security violations. Discovery of such violations in the course of routine monitoring must be reported.

It is the responsibility of each administrative unit within the University to define a hierarchy with respect to computer administration.  As part of this process, the Network/System Administrator(s) for each administrative unit or subdivision shall be identified.  A chain of command shall also be
established and documented for review of technical data, network traffic, and system files; supervision of Network/System Administrators; and those clearly specified authorizations required for review of such files, data or communications.

Any inquiries regarding the implementation or scope of this policy should be referred to the Office of the Vice President and General Counsel.

Email administrators should use reasonable efforts to:

  * Comply with all network/systems administrator policies.
  * Respond to all requests for support, information, problem determination and problem resolution.
  * Supply Information Technology with contacts and contact information on primary, secondary, and tertiary contacts if it differs from network/system administrator contact information. Contact information should include contact instructions for after hours and weekends.
  * Provide appropriate, industry-standard virus screening and filtering services for incoming and outgoing email.
  * Maintain a comprehensive electronic directory of email addresses for University of Miami constituents in a timely manner. Directory information should be updated no less than weekly
    from composite directory information provided by Information Technology. The update should be daily.
  * Provide only properly authenticated access to university directory information.
  * Ensure university directory information is not used to promote SPAM, unwanted mailings and mass mailings.
  * Provide Information Technology a mechanism by which it can monitor directory timeliness.
  * Provide regular notification to subscribing users of their respective systems of contact information for email delivery, problems, and questions.
  * Provide timely notification to the appropriate central data custodian within Human Resources of changes in email account status that would affect email delivery.
  * Survey subscribing users on a regular basis to confirm operational status and accurate registration of email information in the central database and be prepared to report on
    findings at least annually.
  * Inform subscribing users of the availability and benefits of using the “@miami.edu” address naming convention.
  * Maintain the application software in a fully supported version with all appropriate patches and updates.
  * Configure and maintain the application software in a manner to optimize security and respond to ongoing security threats including but not limited to the strength of account passwords for subscribers.
  * When primary email addresses are involved, provide email alias and/or forwarding services either to university email systems in compliance with this policy or to non-University systems (such as @hotmail, @aol, @yahoo). Primary email accounts may not reside on and forwarding services may not be provided to university systems that are not in compliance.
  * When operating a university email alias system, assume responsibility for enforcing this policy on all university systems to which email is routed or provide routing tables to Information Technology.
  * Maintain an ongoing compliance with this policy.
  * To assist email administrators in complying with the provisions of this policy, Information Technology will:
      o Provide timely directory information in an easily accessible format and location.
      o Provide notification to email administrators when employees have a relevant change of status like termination or transfer.
      o Provide a regular, not less than quarterly, list of users who have indicated that their primary email address is a physical email account located on the administrator’s system.
      o Maintain and post a list of email administrators and/or contact information for university email systems.  This may be used by email administrators to resolve delivery problems
        between systems.
      o Create a communication forum through which email administrators can collaborate, share information, receive alerts, participate in planning and decision making, and be notified of impending changes that may impact their operation.


IV. SANCTIONS AND DISCIPLINARY ACTION
Any violations of this policy may result in any of the following actions, consistent with approved University policies, including the Faculty Manual where applicable:

  * Suspension or termination of access to computer and/or network resources;
  * Suspension or termination of employment;
  * Expulsion, or suspension of student status;
  * Breach of contract for computer and/or network services; or
  * Criminal and/or civil prosecution.