UC Irvine Answers to ITLC Security Roundtable Questions
February 1, 2006
Summary: The ITLC group met on February 1, 2006 to discuss how UC Irvine is handling data security on campus.
1. Has a person been designated responsibility for IT security at your campus? If so, who?
Mark Askren (AVC AdCom Services) and Dana Roode (AVC Network & Academic Computing) have been jointly assigned this role.
2. Have information security awareness communications urging specific actions been sent to the campus community? Which groups on your campus have received these communications?
Yes – in Spring 2005 (after the laptop theft at UC Berkeley involving 100,000 graduate student records), a letter from the Chancellor went out to all faculty and staff reminding them of their responsibility to protect sensitive data (copy attached below). It also recommended that data be removed if there was not a compelling business case to maintain it. Previous to this a note announcing Mark and Dana’s role was issued to all employees. A recent note from Vice Chancellor Parker reminded all employees about the efforts of unit Electronic Security Coordinators and asked them to make sure all EIRs with sensitive data were recorded in UCI’s sensitive data inventory (copy attached below). This inventory is stored and accessible centrally but maintained in a distributed fashion using a Web application.
3. Have accountable individuals and responsibilities been identified for the units that handle restricted information?
We have worked through division leadership to identify “IS-3 Electronic Security Coordinators” in every division. These coordinators are responsible for facilitating electronic security efforts in their areas, including maintaining an inventory of EIRs that have sensitive data. The Security Coordinators comprise two standing committees on security, convened by Mark and Dana.
4. Is your campus providing IT / information security training? What training vehicles are being used?
We have launched a new web site – www.security.uci.edu - that is designed to help end-users secure their electronic activities. We are creating a power point slide based on the information in the side that folks on campus can use to do informal seminars on security practices. We have discussed with executive management a requirement of all employees to take a security e-learning class, which we hope to base on materials coming out of other UC campuses.
5. Has your campus established minimum security requirements or standards? If so, what enforcement mechanisms are in place?
Yes – UCI’s implemented Policy 800-18 (Security Guidelines for Computers and Devices Connected to UCInet) in Fall 2005. This is based on similar policies from other campuses. There is no enforcement mechanism in place unless machines are compromised or present active security threats – in this case they will be taken off line until the problem is resolved (this is provided through previously existing UCI policy).
6. What other mandates or recommendations have been issued by campus leadership regarding information security requirements or standards of accountability?
Nothing other than what has been mentioned above.
7. What encryption strategies are being deployed on your campus? What encryption technologies are your campus using (or planning to use)?
This an open issue at UCI that we are tracking and would like to do more on. In addition to units looking at encrypting major central databases, we would like to provide user-friendly tools to allow end-users to easily encrypt any sensitive data they might have.
2005 Chancellor Letter to Faculty and Staff Regarding Sensitive Data
Date: 04/08/2005
From: Ralph J. Cicerone, Chancellor
To: UCI Community
Re: Protecting Confidential Information
Dear Colleagues,
The recent theft at UC Berkeley of a laptop containing personal information for 98,000 individuals serves as an important reminder of our responsibility to safeguard confidential information. In addition to placing personal identity data at risk for a great many people, this event and similar ones at other universities can result in corrective actions involving considerable effort and expense.
I ask that you review the contents of computers, PDAs, and other devices in your possession, to make sure you are aware of any sensitive data stored on them. If you do not have an immediate need for this information, and it can be safely removed, please do so. If you have a specific requirement to maintain sensitive data, it is your responsibility to protect it.
Sensitive data may consist of student records, employee records, research data, medical records, personal information about collaborators on grants, or other information. The data may be stored in any format, including Excel spreadsheets, Word documents, e-mail messages, or plain text files.
Of particular concern are records containing personal identity information. Under California law, California residents must be notified when a computer security breach (including loss or theft of equipment) is reasonably believed to have allowed their personal information to be acquired by an unauthorized person. This personal information is defined to be a person's name together with any of the following: social security number, driver's license number or California identification card number, or financial account information such as credit card numbers.
In addition to the normal security threats desktop personal computers and shared access systems are subject to, portable devices and information stored on them are particularly susceptible to loss or theft. The best course of action is to not store sensitive information on portable devices at any time. If storing the data cannot be avoided, data elements that identify individuals should be removed. Data encryption is another option, but the effectiveness of some commonly available tools is limited.
Additional information and recommendations about data security are available on the following web page:
<http://www.nacs.uci.edu/datasecurity/>
Personal/portable computing and storage devices have become an important and regular part of how many of us work and how much of the University's work is done. However, without taking appropriate precautions, the value of these devices will be outweighed by the very real risks they pose to the security of personal and institutional information.
If you have questions, concerns, or suggestions, please contact Dana Roode of NACS (DRoode@UCI.EDU) or Mark Askren of AdCom Services (MAskren@UCI.EDU). Dana and Mark are working to coordinate campus efforts to enhance electronic data security.
Ralph J. Cicerone
Chancellor
2005 Letter Regarding Electronic Security Coordinator Efforts
Date: 10/17/2005
From: William H. Parker, Vice Chancellor, Research & Dean, Graduate Studies
To: UCI Campus Community
Re: Identifying Sensitive Data Maintained at UCI
In April Chancellor Cicerone wrote to remind all of us of our responsibility to protect confidential data that was in our care. He asked that everyone review the contents of computers, PDAs, and other devices in our possession, to make sure we were aware of any sensitive data stored on them. It is important that we maintain an awareness of sensitive data we have, remove it if no longer needed, and take steps to protect it otherwise.
As a part of UCI's efforts to enhance information security, "Electronic Security Coordinators" have been identified in each administrative division and academic school. In addition to participating in campus-wide discussions and efforts to improve security, these coordinators are responsible for compiling and maintaining an inventory of sensitive data resources in their area. These inventories help maintain awareness of data present on campus, provide information for unit and campus risk assessment, and facilitate UCI's compliance with California Civil Code 1798.29/1798.82 ("SB1386").
I am writing to ask for your support of Electronic Security Coordinator efforts. If you store sensitive data on behalf of your department or work group, please make sure that your coordinator is aware of it. For the purposes of the inventory, "sensitive records" are defined as those with a person's name together with any of the following: social security number, driver's license number or California identification card number, or financial account information such as credit card numbers.
To determine who is serving as the Electronic Security Coordinator in your area, please consult the following:
http://www.nacs.uci.edu/security/is3/is3-coordinators.html
Thank you for your attention to this very important issue. If you have suggestions or concerns, please contact your security coordinator, Dana Roode (DRoode@UCI.EDU) or Mark Askren (MAskren@UCI.EDU).
William H. Parker
Vice Chancellor for Research,
Dean of Graduate Studies
