In the past week the two largest universities in Iowa provided examples of both great and poor security practices. Let’s see…how about the bad example first?
BAD EXAMPLE:
On October 8 it was widely reported that a former teaching assistant from the University of Iowa, who has been in Arizona since 2006, had a laptop computer stolen from his home last month. It contained the personally identifiable information (PII) of 184 U of I students, past and present, on that computer, including social security numbers (SSNs).
The way U of I handled the breach in the press was an example of what NOT to do.
“UI Information Technology Security Officer Jane Drews analyzed backup copies of the files and found them an unlikely source for committing identity theft.
The instructor buried the files in his directory structure and obfuscated the social security numbers, Drews said. While they were not encrypted, popular social security number scanning tools were unable to detect numbers in any of the five files, she said.”
Whenever unencrypted PII, that includes social security numbers, are on a stolen laptop it is irresponsible to publish an announcement that it is unlikely that the information will be used in a criminal manner.
Just because “popular” scanning tools did not “detect” the files does not mean that an intelligent person can not scan the raw data and recognize that, yes, those numbers that are included with name and addresses could very well be SSNs! Or, that a more sophisticated tool that a hacker or criminal has will not locate the SSNs.
There are other concerns as well…
* Why does a teaching assistant, or any professor for that matter, have the SSNs of students? I’ve been an MSIA professor for the past few years, and I can think of no reason a professor or teaching assistant NEEDS student SSNs. It sounds like the U of I is giving their teaching staff much more student PII than is necessary to accomplish their teaching responsibilities.
* Why was the teaching assistant allowed to take student PII, or any university data or software for that matter, with him when he left the employ of U of I? It sounds like the U of I’s exit procedures, or lack of, are a significant security and privacy vulnerability.
GOOD EXAMPLE:
Over the past couple of weeks, Iowa State University held it’s annual CyberDefense Competition.
It is great to see a university actively engaging undergraduate and graduate students in hands-on information security activities side-by-side with practitioners and not just discussing theory. All universities should have activities and competitions like this to allow the students to truly learn through a focused experience.
For a comprehensive account of the competition, see LonerVamp’s three part post on it here, here and here.
As I wrote in a comment on his site, I think the CyberDefense competition is a fantastic way to partner the ISU students with practitioners such as LonerVamp and others who have been in the information security profession and have the bumps and bruises to show for it…along with the knowledge only experience can provide.
Information security competitions such as this allow everyone involved to leave with lessons learned, with new contacts, and with a new or revived appreciation of doing hands-on activities as opposed to just discussing and debating philosophy, conjecture, theory and rhetoric.
Hopefully other universities will create similar competitions. Dr. Doug Jacobson has certainly created a great model at ISU.
Tags: awareness and training, CyberDefense Competition, encryption, Information Security, Iowa State University, IT compliance, lost laptop, personal information, PII, policies and procedures, privacy, privacy breach, risk management, security training, stolen laptop, University of Iowa