Now Available:

line

Featured Resources:

line

Realtime Communities

line

Newsletter

Email Address:


line

Monthly Archives

line

RSS

line

Ask the Expert

Have a question for our resident expert? Email your questions to Rebecca.

« New Nevada Law Explicitly Requires Organizations to Encrypt PII Sent Through Networks | Main | Another Hospital Suspends Staff For Violating HIPAA Requirements »

Iowa Universities Provide Examples of Good and Bad Information Security and Privacy

In the past week the two largest universities in Iowa provided examples of both great and poor security practices. Let's see...how about the bad example first?

BAD EXAMPLE:

On October 8 it was widely reported that a former teaching assistant from the University of Iowa, who has been in Arizona since 2006, had a laptop computer stolen from his home last month. It contained the personally identifiable information (PII) of 184 U of I students, past and present, on that computer, including social security numbers (SSNs).

The way U of I handled the breach in the press was an example of what NOT to do.

"UI Information Technology Security Officer Jane Drews analyzed backup copies of the files and found them an unlikely source for committing identity theft.

The instructor buried the files in his directory structure and obfuscated the social security numbers, Drews said. While they were not encrypted, popular social security number scanning tools were unable to detect numbers in any of the five files, she said."

Whenever unencrypted PII, that includes social security numbers, are on a stolen laptop it is irresponsible to publish an announcement that it is unlikely that the information will be used in a criminal manner.

Just because "popular" scanning tools did not "detect" the files does not mean that an intelligent person can not scan the raw data and recognize that, yes, those numbers that are included with name and addresses could very well be SSNs! Or, that a more sophisticated tool that a hacker or criminal has will not locate the SSNs.

There are other concerns as well...

* Why does a teaching assistant, or any professor for that matter, have the SSNs of students? I've been an MSIA professor for the past few years, and I can think of no reason a professor or teaching assistant NEEDS student SSNs. It sounds like the U of I is giving their teaching staff much more student PII than is necessary to accomplish their teaching responsibilities.

* Why was the teaching assistant allowed to take student PII, or any university data or software for that matter, with him when he left the employ of U of I? It sounds like the U of I's exit procedures, or lack of, are a significant security and privacy vulnerability.

GOOD EXAMPLE:

Over the past couple of weeks, Iowa State University held it's annual CyberDefense Competition.

It is great to see a university actively engaging undergraduate and graduate students in hands-on information security activities side-by-side with practitioners and not just discussing theory. All universities should have activities and competitions like this to allow the students to truly learn through a focused experience.

For a comprehensive account of the competition, see LonerVamp's three part post on it here, here and here.


As I wrote in a comment on his site, I think the CyberDefense competition is a fantastic way to partner the ISU students with practitioners such as LonerVamp and others who have been in the information security profession and have the bumps and bruises to show for it...along with the knowledge only experience can provide.

Information security competitions such as this allow everyone involved to leave with lessons learned, with new contacts, and with a new or revived appreciation of doing hands-on activities as opposed to just discussing and debating philosophy, conjecture, theory and rhetoric.

Hopefully other universities will create similar competitions. Dr. Doug Jacobson has certainly created a great model at ISU.

Tags:                                
 Email This!  Digg it!  Sphere it!  Del.icio.us  Reddit!  Newsvine

Posted by Rebecca Herold on October 10, 2007 4:28 PM |

TrackBack

TrackBack URL for this entry:
http://www.realtime-itcompliance.com/type/mt-tb.cgi/541

Post a comment

(All comments are approved by site leader before appearing here. Thanks for commenting!)

Search

line

Most Active Posts

line

Library Resources

line
line

Recent Posts

line

Categories

line

Rebecca Herold's Bio:

Rebecca Herold,CISSP, CIPP, CISM, CISA, FLMI, has been providing information security, privacy and regulatory assistance and services to organizations from a wide range of industries for over 18 years. Rebecca was instrumental in building the information security and privacy program while at Principal Financial Group, which was awarded the CSI Information Security Program of the Year Award in 1998. IT Security ranked Rebecca as one of the top 59 IT security influencers, and Computerworld put Rebecca their list of the 25 top privacy experts and on their list of the 9 best privacy consulting firms. Rebecca has been CPO for two consulting organizations, and has had her own information privacy, security and compliance business since 2004. Rebecca has written chapters for several books, dozens of articles, and has been writing a monthly privacy column for the CSI Alert newsletter since the beginning of 2001, and is working on her 11th book. Some of her other books include The Privacy Papers, Managing an Information Security and Privacy Awareness and Training Program, The Definitive Guide to Security Inside the Perimeter (Realtime Publishers), The Shortcut Guide to Improving IT Service Support through ITIL (Realtime Publishers), and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, Rebecca is the leader of The Realtime IT Compliance Community where she posts to her IT Compliance weblog. You can contact Rebecca at: rebecca_herold@realtimepublishers.net.