[ISN] IT advisory council to contribute to Ohio University's security efforts

From: InfoSec News (alerts@private)
Date: Tue Jun 05 2007 - 22:30:39 PDT


http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9023219

By Jaikumar Vijayan
June 05, 2007 
Computerworld

Ohio University last week announced the creation of a new Information 
Technology Advisory Council that will contribute to its ongoing efforts 
to revamp data security following a series of high-profile computer 
intrusions at the university last year.

The advisory council will include representatives from faculty, 
staffers, students, IT professionals and executive leadership at the 
university. Its mission is to provide guidance for IT policies and 
processes, review and prioritize proposals for new IT services, and 
recommend IT-related funding requests from the university, a university 
statement said.

In addition, the council will help develop a mission statement and 
strategic plan for central IT besides overseeing an annual process for 
measuring the effectiveness of central IT, the statement said.

The creation of the committee builds on measures the university is 
taking to fortify IT security, said Brice Bible, who took over as the 
CIO at Ohio University in April.

"This presents a great opportunity for each of the universitys 
constituents to have a formal voice in IT direction," Bible said. "The 
council will allow [the central IT organization] to have a two-way 
conversation" with all of the stakeholders across the university, he 
added.

Ohio Universitys move to establish the advisory council is the latest in 
a series of steps that the institution has taken in response to the 
discovery of five separate data breaches involving its systems in a 
two-month period, starting in April of last year. The breaches included 
one that resulted in the exposure of personal data belonging to 137,000 
alumni, and another that involved the compromise of a server containing 
personal data on 60,000 current and former students as well as some 
faculty and staff.

The incidents prompted the resignation of the universitys CIO William 
Sams and the firing of two senior IT executives. It also triggered a 
wide-ranging overhaul of the universitys IT infrastructure and 
strategies, including a 20-step plan for improving information security.

Much of the work on the technology front has already been accomplished 
or is in the process of being implemented, Bible said. For instance, he 
said, the university has deployed new perimeter firewall and network 
intrusion-detection and -prevention systems.

Measures have also been taken to eliminate the use of Social Security 
numbers on student and employee identification cards, he said. Starting 
June 18, all students and employees will be issued new ID cards without 
Social Security numbers, he said.

An effort is also under way to identify systems containing sensitive 
data across the university and finding ways to minimize that data. The 
new advisory council will play a part in helping to vet a new data 
classification policy that is being rolled out across the university by 
the central IT department, Bible said.

"We are making significant progress at the foundational level," Bible 
said. He said that more work remains to be done is in areas such as user 
education and security awareness training -- issues that the new council 
is designed to address.

Expect also to see the council to play a significant role in an evolving 
effort to centralize more of the universitys distributed IT operations, 
Bible said. The central IT organization that Bible heads is currently 
working with the separate IT groups at the universitys College of Arts 
and Sciences, the College of Engineering and the Finance & 
Administration area. Bible said that the effort is to find areas where 
some IT functions can be managed by a core central IT group.

"There is a strong buy-in from university leaders about the need to 
rightsize the balance between distributed and centralized IT," Bible 
said. "We are beginning to develop a rightsize model, and we will use 
those two colleges and the one service unit to prototype it," he added; 
if successful, the same model will be rolled out universitywide.


_____________________________________________________
Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. http://www.blackhat.com



This archive was generated by hypermail 2.1.3 : Tue Jun 05 2007 - 22:38:33 PDT