[ISN] Is student data safe?

From: InfoSec News (alerts@private)
Date: Tue Nov 28 2006 - 01:30:15 PST


http://deseretnews.com/dn/view/0,1249,650210566,00.html

By Erin Stewart
Deseret Morning News 
November 28, 2006

Utah's universities are working to protect students' personal 
information, but some schools need to get their policies up to date to 
block hackers and comply with federal law, according to a report 
obtained by the Deseret Morning News.

The first comprehensive information technology audit for the state 
system of nine public colleges and universities reveals a need for more 
formalized security policies to protect private information ranging from 
Social Security numbers to health data.

"Because of the open nature of universities, they've generally been a 
little bit more at risk. They can't be as open as they used to," said 
Steve Hess, chief information officer for Utah's System of Higher 
Education, who spearheaded the report.

Without clear security policies, Hess said, Utah's schools could be 
vulnerable to hackers and at risk for violation of the federal Family 
Educational Rights and Privacy Act, which bars colleges from releasing 
student records that include personally identifiable information.

While Hess said there were no glaring gaps in the networks of most Utah 
schools, there is a need for better training of certified security 
officers and more streamlined policies on how to monitor the system's 
vulnerability.

Currently, some schools rely on uncertified operations staff to perform 
security functions, the report said.

The audit recommends a systemwide update of each school's information 
technology policy to include at least 19 protocols such as how to report 
security breaches and acceptable use of technology. While most schools 
have security procedures in place, Hess said, many have not concretely 
included them in the school's information technology policy.

In particular, a majority of Utah institutions did not have clear 
policies controlling student identifiers in place of Social Security 
numbers and personnel clearances. About half of the schools did not have 
formal policies on security monitoring and enforcement.

The audit does not specify which universities are lacking formal 
protocols.

"They're just catching up to get those policies updated. That doesn't 
mean that they don't have them, they just need to get them into their 
policy," Hess said. "Everybody who has a desktop is at potential for 
some breach in security; a policy just lays down the law of the land."

Since Sept. 11, 2001, Hess said, universities across the nation have 
been re-evaluating their security processes, fueled by the fear that a 
terrorist hack could rob students of their identities and schools of 
their security.

Hurricane Katrina also spurred technology gurus to better protect school 
servers after many schools in the Gulf region had to shut down because 
the information needed to run the school was not backed up.

Weber State University and the University of Utah both received wake-up 
calls in the past five years as hackers broke into financial aid files 
at WSU in 2004 and into a former-employee database at the U. a year 
later. Leaders at both schools don't believe any identity theft occurred 
as a result of the hackings, but WSU chief information officer Don 
Gardner said it was an eye-opener.

"We're very concerned about student personal data. We have an obligation 
to protect personal information, and we want to make sure that that 
happens," Gardner said. "We also want to make sure that our network and 
computing resources are not misused by people who would like to use them 
to do illegal things."

At WSU, Gardner said that since the school's hacking scare, a security 
consultant has helped the school hire a certified security officer and 
update its policies. School leaders also beefed up their intrusion 
detection and began a system of continual network monitoring.

"Obviously when you do that you're going to find there are some 
weaknesses, but in general we found that we were not in terrible shape," 
he said. "We've really tightened things down in a number of different 
ways."

To better protect the databases of Utah's institutions, higher education 
leaders will also ask the state Legislature for roughly $1 million to 
back up all of the information at the state's backup site in Richfield. 
That backup site moves the information away from earthquake dangers 
along the Wasatch Front and would allow schools to continue operating 
after a natural disaster.

What the security audit recommends for colleges

* All institutions will have information technology security plans.

* All institutions will change their IT security policies to include a 
  list of 19 major protocols.

* Each campus will designate an IT security director who has been 
  trained and certified.

* Institutions will establish a disaster recovery and system backup site 
  in the existing Richfield data center.

* All institutions will participate in organized security initiatives.

* The System of Higher Education Security Committee will draft a best 
  practice security process for dealing with security incidents.

* IT security policies should include restrictions on the storage of 
  Social Security numbers and other private information on computers.

* The chief information officer will organize security audit teams and 
  will audit the security policy of each institution at least annually.

Copyright 2006 Deseret News Publishing Company


_____________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn
 



This archive was generated by hypermail 2.1.3 : Tue Nov 28 2006 - 01:39:48 PST