A multiprong approach to shoring up data security practices universitywide is under way in the wake of a recent on campus computer theft that potentially exposed the Social Security numbers of thousands of current and former students, faculty and staff.
Efforts are concentrated not only on ensuring that confidential information stored in Georgetown's computer systems is secure, but that the keepers of such information are doing everything possible to protect it. The work intensifies already established data security practices, but may look at new measures as issues emerge.
Senior Vice President
Spiros Dimolitsas has created a universitywide Data Enhancement Security Task Force to scrutinize security issues and implement recommendations for protecting information. Senior leaders from the Main Campus, Law Center, Medical Center and University Services who oversee large data systems and processes on each campus will serve on the task force along with those familiar with specific data in areas including finance, human resources, student information and research.
A steering committee, co-chaired by Dimolitsas and
H. David Lambert, vice president and chief information officer, of senior administrative leaders will prioritize the focus and coordinate the organizational structure for the task force, which will have about 100 representatives. Dimolitsas charged the group last week to begin an immediate inventory of their systems to identify potential vulnerabilities and prioritize areas to be addressed.
"The task force is an effort to shine a light on the work we're already doing but, I feel, needs to be done faster and with a lot more participation from the community," says Lambert, who oversees University Information Services (UIS). "It is primarily an effort to get the university community to recognize that the responsibility of information privacy and security isn't only from a technology side. It's really the responsibility of everyone on campus."
Lambert notes that data security, like physical security, is a shared partnership between university officials and individuals and there are steps that all community members can take to help in the effort to protect electronic data. As part of its efforts, the task force will also launch what Lambert calls a "very, very aggressive awareness campaign" to publicize not only the availability of UIS resources but also individual steps that faculty and staff can take to protect data.
UIS can provide the technology, but it's up to everybody across the campus to recognize the risks associated with having an individual's confidential information, Lambert says.
Georgetown began the process of reducing Social Security number use as the primary means of individual identification in 1999, when GOCard numbers and the Net ID began to be used for university identification. However "legacy data" still exists from before the phase-out, as evidenced by the stolen hard drive.
"Clearly the university has an obligation to protect these sensitive pieces of data, something that is made more real because the requirement to protect those kinds of data is increasingly making its way into legislation," Lambert notes.
In tandem with the new task force's work, UIS has been developing tools to help departments and individuals protect electronic data. These include providing advice on purchasing secure laptops for employees who need to access confidential data while on travel or via portable devices. Such laptops, for example, could come with automatically encrypted disks and require three levels of security to access information.
Additionally, UIS is working to provide a secure environment where all personally identifiable information can be hosted instead of on individual hard drives. The department also is conducting desktop scanning of individual computers to identify and remove any personally identifiable information.
UIS is advancing its technology security plan, moving from a first phase focus of providing security for systems, networks and central applications to the current concentration on data.
"The real focus of the initiative that lies ahead of us is on securing the data out in the distributed environment where it exists on desktops, laptops, PDAs, USB keys and attached hard drives," Lambert says. "The task force will be working with users across the university to ensure that this is done and that it's a collaboration."
For the university community:How to Comply with Georgetown’s Information Security PolicyInformation on securing sensitive data and other protective measures is available through
UIS and includes information for faculty, staff, students and network administrators. Also, there are immediate steps the university community should take to protect information.
- Review computer systems for confidential information, such as Social Security, credit card, bank account and driver’s license numbers. Computer systems include desktops, laptops, memory sticks and hand-held devices.
- Erase old files and all files with unnecessary confidential information. The UIS security office can assist in ridding machines permanently of unneeded data.
- Sensitive information that must be kept should be moved to a secure server space such as a Phoenix Enterprise File System drive. UIS provides support for this.
- Business travelers who must carry confidential information should contact UIS for a consult.
- Do not send confidential information via e-mail.
- Do not use an unencrypted USB key or non-Georgetown device to store data.
- Lock up laptops, external hard drives, USB keys and any other portable device in a drawer or closet or, at a minimum, keep the equipment out of sight in a locked office.
- Do not give old computer equipment to another staff member or dispose of old computers without contacting UIS to securely remove all data from the machine. Do not throw computers away in hallways or Dumpsters.
- Contact UIS, university counsel, risk management and the compliance office if data security concerns arise.
Questions? Call the UIS security office at 687-3031.
