Electronic Information Resource (EIR) Security Coordination Group
July 2006 Meeting

Summary: The meeting agenda and participants to discuss electronic information security.

Agenda

• Introductions (Dana Roode)
• Personal Data Security Breaches in the News (Mark Askren)
• UCI Network Security Update (Isaac Straley, NACS IT Security Manager) (PPT - 169 kb) [Only accessible from UCI domains]
• Security Updates From Units (Area Coordinators)
- Discussion about the security situation in your units and other steps we should take to enhance data protection

• Sensitive EIR Database (Dana Roode)
- Recent "updated flag" enhancement
- Setting a goal for this year's inventory review (October 30, 2006)

• UC Policy and other Security Updates (Steve Franklin)

Adminsitrative Area Cooordinators July 21, 2006 Participants

• Greg Ackerman <gdackerm@uci.edu>
• Kevin Ansel <kbansel@uci.edu>
• Marina Arseniev <marsenie@uci.edu>
• Mark Askren <maskren@uci.edu>
• Court Crowther <crowther@uci.edu>
• Josh Drummond <jdrummon@uci.edu>
• Liz Edgington <liz.edgington@uci.edu>
• Stephen Franklin <franklin@uci.edu>
• Patty Furukawa <pfurukaw@uci.edu>
• Gabriel Gracia <gpgracia@uci.edu>
• Joy Grosser <jgrosser@uci.edu>
• Beth Harnick-Shapiro <bharnick@uci.edu>
• Chris Harvie <charvie@uci.edu>
• Mike Iglesias <iglesias@uci.edu>
• Michael Koetsier <michael.koetsier@uci.edu>
• Derrick Lam <djlam@uci.edu>
• Bill Nail <wwnail@uci.edu>
• Paul Ocelnik <pocelnik@uci.edu>
• Dana Roode <dana.roode@uci.edu>
• Isaac Straley <straley@uci.edu>
• Kathy Taft <ktaft@uci.edu>
• Phil Wang <philw@uci.edu>
• Penny White <plwhite@uci.edu>

Academic Unit Area Cooordinators July 24, 2006 Participants

• Greg Ackerman <gdackerm@uci.edu>
• Kevin Ansel <kbansel@uci.edu>
• Marina Arseniev <marsenie@uci.edu>
• Mark Askren <maskren@uci.edu>
• Court Crowther <crowther@uci.edu>
• Josh Drummond <jdrummon@uci.edu>
• Liz Edgington <liz.edgington@uci.edu>
• Stephen Franklin <franklin@uci.edu>
• Patty Furukawa <pfurukaw@uci.edu>
• Gabriel Gracia <gpgracia@uci.edu>
• Joy Grosser <jgrosser@uci.edu>
• Beth Harnick-Shapiro <bharnick@uci.edu>
• Chris Harvie <charvie@uci.edu>
• Mike Iglesias <iglesias@uci.edu>
• Michael Koetsier <michael.koetsier@uci.edu>
• Derrick Lam <djlam@uci.edu>
• Bill Nail <wwnail@uci.edu>
• Paul Ocelnik <pocelnik@uci.edu>
• Dana Roode <dana.roode@uci.edu>
• Isaac Straley <straley@uci.edu>
• Kathy Taft <ktaft@uci.edu>
• Phil Wang <philw@uci.edu>
• Penny White <plwhite@uci.edu>

Additional Notes

In addition to the items covered by the presentations, discussion by the participants touched on the following topics:

• The challenge of raising security awareness demands persistence and many different approachs. Part of the challenge comes from the general perception that support staff is doing such a good job on security and so others need not worry. This situation was also summarized as "user apathy."
• NACS and AdCom are happy to come to departments to talk about about security awareness.
• Concern about security applies to all sensitive information, not just that information to which access is restricted by policy, law, or contractual agreements.
• Encryption of data on USB "Flash Drives" is a minimal, but prudent, step. Before taking it though, one should ask whether sensitive data really needs be put on such a device in the first place. It is far preferable to have it on a secure system and access it from there via a secure network connection.
• The concerns expressed above sensitive data on USB "Flash Drives" apply to all portable devices with storage capabilities ranging from portable media through PDAs, cell phones, and (of course) laptop computers. While encryption can lessen the risks of having sensitive data on such devices, the possibility of loss of the devices (either by accident or theft) makes them problematic choices for storage of definitive copies of important information (sensitive or not) and if the definitive copy of information is elsewhere, then secure network access to that information is preferable to increasing the risk that it falls into the wrong hands.
• Moving data off of desktops to servers is a necessary step both for security of the data and for operational reliability.
• Sending sensitive data to a networked printer presents (at least) two security risks that need be managed: the transmission of sensitive data on the network, assuring that the hard copy is not seen or picked up by others than the person(s) for whom it is intended.
• When Social Security Numbers (SSNs) must be used, their use should be limited as much as possible including using only parts of any SSN.
• There are situations where the university receives information with SSNs and must remove them, possibly replacing them with other identifiers.
• One should purge historic data when it is no longer needed, or, at least remove sensitive information from records as soon as possible. Deleting sensitive information from records when it is no longer needed allows one to retain other parts of the records which are still needed.
• "Shadow data bases" (local copies of information available elsewhere) are a persistent problem both for their vulnerability (they are often run with minimal attention to security) and because the IS3 area coordinators may find out about their existence only be accident and that accident may be a security breach.
• Research groups running their own servers can easily create situations much like those that "shadow data bases" present.
• Credit card data for conferences can be a big problem which can now be circumvented thanks to a new system AdCom has developed which allows it to process such information directly.
• In spite of secure electronic alternatives, some people continue to use old forms (e.g., Form 5 for expense reimbursement) which increases the exposure of restricted data.
• PowerGrep (http://www.powergrep.com/) has proved to be of value in scanning systems for certain types of restricted information (e.g., SSNs and credit card numbers).
• NACS is investigating PowerGrep and Spider from Cornell (http://www.cit.cornell.edu/computer/security/tools/) for broader deployment at UCI.