End User Privacy and Notification/Transparency
- Are ECP protections addressed in the TDI contract?
- Can the system capture everything a user does and replay it?
- Does the threat detection and identification system connect network activity to an individual user?
- Using the threat detection and identification (TDI) system, would vendor, UCOP or location analysts have access to aggregated data about users like web browsing histories or e-mail histories?
- If occasionally network users pay bills or order something from an on-line store, will the details of those transactions be stored in the threat detection and identification system?
- How is access to the system protected?
- If a computer was compromised would the affected faculty or staff member be notified?
- Is the TDI contract available for interested faculty and staff?
Are ECP protections addressed in the TDI contract?
Yes. Language specifically referencing the ECP is contained in the statement of work.
Vendor analysts and assigned staff are trained on ECP and are required to adhere to UC’s commitment to privacy.
Can the system capture everything a user does and replay it?
No.
Does the threat detection and identification system connect network activity to an individual user?
No. The threat detection and identification system scans traffic to and from the campus network to the internet and does not have the means to connect network traffic to a specific device, title, user or affiliate.
Users may use insecure protocols that broadcast user names in clear text and those could be temporarily retained for threat detection.
Depending on the location and the network architecture, site to site network traffic might also be scanned. (For example, health center to/from main campus.)
Using the threat detection and identification (TDI) system, would the vendor, UCOP or location analysts have access to aggregated data about users like web browsing histories or e-mail histories?
No. TDI has no notion of users or information about users.
The current TDI system focuses squarely on bad-actor and malware detection.
If occasionally network users pay bills or order something from an on-line store, will the details of those transactions be stored in the threat detection and identification system?
No. All secure on-line stores, banks and utilities use encrypted sessions. The threat detection and identification system does not intercept or break encrypted sessions and cannot see anything inside encrypted sessions. Metadata would be stored for 30 days, but metadata is not associated to users.
How is access to the system protected?
The threat detection and identification (TDI) system is designed to ensure security. The threat detection and identification devices meet industry security practices.
TDI is accessible through encrypted, password protected virtual-private networks (VPNs) and only by authorized individuals who are subject to and have been trained on the requirements of the ECP.
If a computer was compromised would the affected faculty or staff member be notified?
Yes, provided the location (using other tools) can match the user to the machine using the protocols and procedures already in place at the location for other security tools. The threat detection and identification system does not have information about users, so user identification relies on the use of other location tools.
Is the TDI contract available for interested faculty and staff?
Yes. Please contact your cyber-risk responsible executive (CRE).