Security Roadmap

In the last year, thousands of computers were infected, attacked, and temporarily disabled within the University system. On numerous occasions the availability, integrity, and confidentiality of data were threatened or compromised. The overall performance of the University network, a mission-critical resource, was severely degraded at times by these attacks.

As a result, the entire University technical community is improving practices that will minimize these losses of service. University OIT has specifically responded to these issues with the Protecting Private Data Standard, currently in draft status, which the University proposes to formally adopt during the Fall 2004 semester. This document addresses the standard, its concepts and its required practices, and we strongly encourage you to work with the resourceful and professional IT staff that serve nearly every unit in CLA to protect the computers and data in your jurisdiction. View a list of frequently asked questions (FAQs) on the Protecting Private Data Standard and other security measures.

Protecting Private Data Standard : This University policy will require uniformly high standards for protecting private data, effective on all computer systems and other digital storage devices that contain such data. It is likely that you have data that can be classified as private data. Some examples include:

Creative work, manuscripts, drafts, research writings, research data.
Grade data. It is not clear at what point student grade data becomes private; however, all recorded grades are explicitly private data.
Data for which you have signed confidentiality agreements.
Data that is classified as protected private data, such as almost all data about your students (more information).
Any personal data such as bank accounts, investments, and personal information in digital files.
Medical data.
Human research subject data, including data that could reveal an individual’s identity.
Any other category that can be added – this is not an exhaustive list.

Definition of Private Data: According to the standard, private data is any data that does not fall within the definition of “public data” as defined by the Minnesota Data Practices Act, HIPAA, FERPA, GLBA or other applicable laws and University policies. Private data includes your University payroll data; research, medical, and human research subject data; creative output that is potentially copyrightable (e.g. manuscripts, artwork, research data, research materials); and most data about students and employees. University OIT Security provides examples.

Responsibility for Private Data : Data has a faculty or staff owner, and your IT support technician has the duty to help protect the college-supplied devices that store this data. Note that the data owner, not the IT staff, is responsible for its confidentiality and access control.

Examples of Data to be Protected:

University OIT Security provides the following examples of private/non-public data:

Social security number
Trade secrets or intellectual property such as research activities
Personal information, such as birth date
Home phone number
Home address
Health records
Student grades
Location of assets (such as bank accounts or medical records)

Parking leases
Anonymous donors
Gender
Ethnicity
Citizenship
Citizen visa code
Veteran and disability status
Linking a person with the subject about which the library user has requested information or materials

Non-directory Student Information may not be released except under certain prescribed conditions. Non-releasable information includes:

Courses taken
Schedule
Test scores

Advising records
Educational services received
Disciplinary actions

Passwords : In order to provide a higher level of general security and prevent certain automated attacks, the Protecting Private Data Standard will require everyone to use longer and more complex passwords (also called ‘high-quality’ or ‘strong’ passwords) and periodically change them on all networked computer systems starting the Fall 2004 semester. Your password(s) can be captured through a variety of covert technical means on any unsecured computer or network, and it can be captured on a trusted computer by malicious software, hardware, or humans with physical or electronic access. Once a password is in someone else's hands they have the ability to steal or otherwise compromise your work, works-in-progress, or legally-confidential private data; impersonate you via email or to University self-service applications; steal your identity using information (such as your pay stubs, W-4 and W-2 forms) stored on your computer or at the University; or frame you for computer crimes. Using strong passwords, choosing different passwords for different computer systems, and changing each password regularly are important measures to maintain your privacy, security, and legal innocence.

In addition to stronger password standards, the University recommends (and may require) that data owners take other precautions to protect computers storing private data, including:

Anti-Virus Software and Operating System Updates . Many of the attacks last year and impaired the broad campus network and temporarily crippled individual CLA computers, both from within (e.g., via virus-infected emails) and without (e.g., direct and/or automated network intrusions). These situations demonstrate a need for regular and rapid distribution of operating system and other software patches and security updates and antivirus software definitions to minimize and prevent such events in the future. Please work with your IT staff to regularly maintain all supported computers.

Using Alternative Browsers. Vulnerabilities in web browsers are exploited rapidly by malicious programmers around the world. Credit card information, bank information, and passwords may be stolen, and programs may be covertly installed to further compromise vulnerable computers. The most frequently exploited browser is Microsoft Internet Explorer, which may be required for certain University systems. Other browsers such as Mozilla, Firefox and Netscape are considered safer for general use; again, work with your IT staff to determine if alternative browsers are feasible for you.

Physical Access Restrictions. Non-technical attacks against information property remain a significant concern. Computers can be stolen, passwords read from sticky notes, paper documents viewed, etc.

Other major policy impacts : As part of these policies, the University expects your IT staff to either manage your computers and data storage or to review your computers, data storage, and usage patterns, assess their compliance with University security policy, and advise you on further protections that may be necessary or appropriate. University policy compliance will be required this fall. This means:

Computer equipment and computerized laboratory devices will need to comply with University security policies, and will be maintained and/or reviewed by IT staff for compliance.
Windows XP/2000 machines must have certain University-mandated configuration settings, or their equivalent, as specified in the Protecting Private Data Standard. Other operating systems (MacOS X, UNIX, Linux) also need similar security-oriented configuration.
Private data must be encrypted if sent across any internet link, including campus network.
Private data must be encrypted if stored on a portable device, such as a laptop or a PDA.
Network traffic to devices storing private data must be controlled and/or filtered through firewalls or similar technologies.
Physical access to devices storing private data must be controlled and/or restricted to authorized personnel.
Each computer must keep a log of security events and the logs must be reviewed.
Backups of the data must be made.

Need Help Now?

CLA-OIT Helpdesk

Contact us directly:

Phone: 4-HELP
(612-624-4357)
E-mail: help@cla.umn.edu

About CLA-OIT

Services

Resources

Security Roadmap

Need Help Now?

CLA-OIT Helpdesk

Contact us directly: