University IT Security Initiatives
Nearly one hundred institutions of higher learning have reported having confidential information exposed in each of the last three years. When personal information about individuals, such as faculty, staff, students, donors, parents, etc., the institution may be required by federal and state legislation to inform and provide credit protection for everyone who may be affected by the exposure at significant cost, in many cases exceeding millions of dollars.
To date, Princeton has managed to avoid being included on lists of compromised institutions. However, as malicious individuals continuously sharpen their attacks, organizations that do not adapt to the increasing threats cannot expect to remain unaffected. In this context, we have initiated a number of technology projects to shore up our defenses and better protect the information entrusted to us. These projects focus on two areas that have been the primary cause of a significant percentage of reported information compromises, i.e., the uncovering of valid IDs and passwords, and the physical loss of mobile computer systems (e.g., computers, PDAs, smart phones).
New Anti-virus Software
The University has negotiated a campus-wide site license with McAfee for their product McAfee Virus Scan to replace Symantec AntiVirus for Windows NT/2000/XP/2003/Vista and for Mac OS X to provide the University community a pro-active means of battling computer viruses. The software is free to all faculty, staff, and students.
Protecting Data on Laptops with Encryption
To protect against information exposure due to the loss or theft of laptops or other mobile devices, we have begun to deploy software that will encrypt all of the information stored on those devices. With such software in place, information on the encrypted device will be unreadable to any individual who has not been explicitly authorized to unlock the system.
Login Security
To strengthen our password defense, we have added “bank-like” methods of logging into our core human resource and student record systems, where IDs and passwords will be supplemented with challenge questions that also must be successfully answered, such as “What was the make of your first car?” These methods have been deployed for our HR and student record systems, and will be expanded to other systems over the next few months.
Enhanced Account Management
We will be replacing our mix of automated and manual processes for provisioning and deprovisioning computer services with a centralized, fully automated system that will analyze and, if necessary, adjust the system access privileges in a timely manner for each member of the University community whenever his or her record is added to or updated in our human resource or student record systems.
We believe that the technological measures that we plan to implement will significantly improve our ability to secure University information. However, organizations have found that, without everyone’s personal involvement in securing our information, even the most advanced technological controls can fail. Therefore, your cooperation and support in this matter are critical.
