Conducting Administrative Investigations Involving University Employees and Information Resources

1. Purpose

1.1 The purpose of this statement is to establish an operating policy for the University of Texas at Austin (U. T. Austin) pertaining to administrative investigations based on a reasonable suspicion of an employee’s inappropriate use of university information resources. This operating policy serves as a supplement to the internal administrative policies established at U. T. Austin.

2. General

2.1 The general scope of this operating policy will apply to acquisitions of information technology hardware (e.g., computers, media, etc), computer and/or network forensics, and access to university issued machines and accounts.
2.1.1 Procedures for active or former, non-student and student employees shall be identified.
2.1.2 Procedures for active or former students shall not be identified.
2.1.3 Computer forensics investigations shall not be initiated solely for the purpose of identifying causes of an employee’s lack of productivity.  In such situations, local management should utilize the university’s performance management process (http://www.utexas.edu/hr/manager/pm/).
2.2 Management will support the university’s legal responsibilities and will cooperate with Human Resource Services, Internal Audit, the Office of Legal Affairs, and the Information Security Office in the investigation and reporting of violations of university policy.
2.3 The Information Security Office will supervise all computer and network forensics investigations based on a reasonable suspicion of inappropriate use of information resources. When an investigation reveals suspected criminal activity or an investigation is initiated due to an allegation of criminal activity, the University of Texas Police Department will be notified immediately.
2.4 When the Information Security Office investigates an administrative violation; the normal procedure for obtaining computer evidence and other information relevant to the matter under investigation shall be to impose an information requirement and/or an acquisition of evidence.  The Information Security Office shall provide the requestor with a list of anticipated deliverables and due dates so to ensure all are clear about the scope of the investigation.
2.5 In certain cases involving an immediate threat to persons or property or other exigent circumstances, the Information Security Office shall preserve or acquire evidence as necessary and may provide evidence to law enforcement in advance of a public records request, subpoena, or warrant.  In such cases the Office of Legal Affairs shall be consulted unless exigent circumstances exist.

3. Administrative Investigations

3.1 All administrative investigations involving active or former, non-student or student employees and requiring acquisitions of information technology hardware (e.g., computers, media, etc), computer and/or network forensics, and access to university issued accounts must be requested by authorized department heads, or their designee, representing one of the following units: Internal Audit, Human Resource Services, the Office of Institutional Equity, or the Office of Legal Affairs. These requests shall be served directly to the University Information Security Officer for handling. All such requests shall clearly demonstrate the specific policy violations, based on articulable facts, warranting a forensic investigation.
3.1.1. The Information Security Office shall not proceed with any administrative investigations without first consulting with the Office of Legal Affairs unless exigent circumstances exist.  In such cases, the Information Security Office shall consult with the Office of Legal Affairs as soon as possible.

4. Data Protection

4.1 The Information Security Office shall keep its work papers and evidence secure and limit access to only those individuals designated by the University Information Security Officer.
4.2 In order to avoid damaging the reputations of innocent persons initially suspected of wrongful conduct, and to protect U. T. Austin from possible civil liability, the results of investigations conducted by the Information Security Office shall only be disclosed or discussed with those persons associated with U. T. Austin who have a legitimate need to know such results in order to perform their duties and responsibilities, subject to the provisions of the Texas Public Information Act.
4.3 Information gathered and exchanged under the terms of this statement shall be managed in compliance with applicable laws, rules, and regulations and shall be classified as confidential at all times.

5. Reference