IT Security

Nearly one hundred institutions of higher learning have reported having confidential information exposed in each of the last three years.  When personal information about individuals, such as faculty, staff, students, donors, parents, etc., the institution may be required by federal and state legislation to inform and provide credit protection for everyone who may be affected by the exposure at significant cost, in many cases exceeding millions of dollars.

 

To date, Princeton has managed to avoid being included on lists of compromised institutions.  However, as malicious individuals continuously sharpen their attacks, organizations that do not adapt to the increasing threats cannot expect to remain unaffected.  In this context, we have initiated a number of technology projects to shore up our defenses and better protect the information entrusted to us.  These projects focus on two areas that have been the primary cause of a significant percentage of reported information compromises, i.e., the uncovering of valid IDs and passwords, and the physical loss of mobile computer systems (e.g., computers, PDAs, smart phones).

 

To strengthen our password defense, we will be adopting “bank-like” methods of logging into our core human resource and student record systems, where IDs and passwords will be supplemented with challenge questions that also must be successfully answered, such as “What was the make of your first car?”  Those identified as having weak passwords will be required to change them to a stronger value.

 

To protect against information exposure due to the loss or theft of laptops or other mobile devices, we plan to deploy software that will encrypt all of the information stored on those devices.  With such software in place, information on the encrypted device will be unreadable to any individual who has not been explicitly authorized to unlock the system.  This effort will be part of a larger project that will additionally provide state-of-the-art, anti-virus technology to all laptop and desktop computers used by members of our campus community.

 

It is important to note that the U.S. Department of Commerce regulates the movement of encryption software across national boundaries in the interest of national security.  Thus, OIT is being asked to work with the Office of the General Counsel and the Office of Audit and Compliance to develop the necessary procedures and supporting systems that will help us avoid incurring significant fines for non-compliance. 

 

We believe that the technological measures that we plan to implement will significantly improve our ability to secure University information.  However, organizations have found that, without everyone’s personal involvement in securing our information, even the most advanced technological controls can fail.  Therefore, your cooperation and support in this matter are critical.