OIT fights security breaches
Marcela Berrios | Monday, April 2, 2007
Following several publicized security breaches this winter and last, the Office of Information Technologies (OIT) plans to upgrade Notre Dame’s standards of information security and its tools to combat network hackers, University officials said.
The initiative comes after an official’s laptop was stolen in December and sensitive information related to University employees – including Social Security numbers and salary figures – was potentially exposed, OIT Chief Information Officer Gordon Wishon said.
However, OIT began making upgrades before the incident, Wishon said. Last summer, the University hired Ernst & Young, a professional services firm, to give an independent and objective assessment of the security systems on campus.
Ernst & Young, he said, determined the University needed to improve its policies regarding the management of sensitive data within and across departments and offices, the inherent flaws of the Notre Dame network, and the education and awareness of students and employees regarding the handling and classification of sensitive information.
He said sensitive information in the Notre Dame network would include academic records, health services files, Social Security numbers, financial aid documents and University financial and investment information.
One of the tools OIT placed on its Web site to help the campus community pinpoint sensitive information is the Sensitive Number Finder software, which locates potential Social Security and credit card numbers on the computer’s hard drive, external hard drives, USB “thumb” drives and AFS or NetFile space, Wishon said.
OIT will also supervise work with different University departments in the upcoming months to make sure the office computers have firewalls, antivirus software and other preventive tools running, according to the OIT Web site.
To correct the flaws in the Notre Dame network, Wishon said OIT was taking Ernst & Young’s advice and considering security-differentiated zones within the public network, developing more effective firewalls against unauthorized users and making revisions and upgrades to the different servers on campus.
OIT Information Security Director Gary Dobbins said there were more than 40 different projects underway designed to reduce the risks of unauthorized access to University information.
“We are working to improve security for all campus systems, both desktops as well as servers,” Dobbins said. “Locating and identifying them all, particularly those which might contain sensitive information, is itself no small challenge.”
He said the Ernst & Young audit determined several servers on campus were operating in a vulnerable condition.
Dobbins said OIT representatives contacted the different offices and departments that were red-flagged to “further steps they can take to reduce those vulnerabilities.”
On Jan. 13, 2006, the University detected a breach in a Development Office server, which may have exposed the personal and financial information of several donors.
The University sent the donors whose information may have been leaked a letter on Jan. 20, 2006, detailing the crime and suggesting they keep an eye on their accounts, due to the risk of identify theft.
The University sent a similar letter on Jan. 2, 2007 to the employees who may have been affected by the laptop theft, WNDU reported.
These recommendations, Wishon said, also extend to all members of the Notre Dame community.
Information security, he said, pertained to firewalls and the individual’s discipline alike.
“[Information security] is about how we access, process, transmit and store sensitive information in all forms,” Wishon said on OIT’s Web site. “It certainly covers laptop and desktop computers, but also includes how we deal with paper records or whether we’re discrete in telephone conversations that involve sensitive data.”