Information security high priority for Notre Dame

Comprehensive program underway to address risk

By James Cope
February 16, 2007 (reprinted from NDWorks)

This semester, you will begin hearing and seeing a lot about information security. From posters to new departmental protocols, from training sessions to new security teams, employees will be asked to become information stewards.

The displays and activities are part of a multi-level plan to manage the risk of handling sensitive data, such as private information associated with students, employees and donors.

Some aspects of the program result from findings of a campus information technology risk assessment conducted last summer through the Office of Information Technologies (OIT). Several campus departments joined OIT staff and worked in conjunction with the firm Ernst & Young.

OIT Information Security Director Gary Dobbins characterizes the assessment results as “neither startling nor especially pleasing.” Nevertheless, Dobbins says, “Highly directed network scans, surveys and interviews with University departments helped us pinpoint system vulnerabilities and business risks in a short period that generally only surface over time.”

The assessment confirmed the validity of security projects that were in the works, identified new opportunities to improve Notre Dame’s security environment and helped obtain the resource commitments required to move forward.

Several technical security initiatives are already nearing completion, according to Dobbins. They include a campus network firewall that limits the ability of potential hackers to access the University’s private networks, stronger controls around campus systems that process credit card transactions, and tools to assist users in scanning their workstations for the presence of sensitive data.

OIT is managing the campus-wide security awareness and training program, but several departments have been involved in the planning. Over the next two months, OIT will work with University departments to ensure that users have their computers configured according to appropriate standards. For example, these machines should have firewalls turned on, antivirus software active, and the most recent patches installed.

“We’ll ask departments to participate in training programs and become part of the information security team,” says Sara Exum, who is leading the information security communications and training effort. She likens the new initiative to the Renovare project, in which the project’s progress derived from the work of teams comprised of both OIT and non-OIT personnel technology specialists.

“Typically, people first become aware of information security when they’re impacted on a personal level,” notes the OIT’s Mike Chapple, an author on the subject who also teaches a course in information security at Notre Dame. “They receive a notice in the mail from a broker or a bank that their personal information may have been compromised. These notices often serve as a wake-up call to the importance of observing secure data handling practices in the workplace.”

Security is not only a technology issue, says Associate Vice President/Associate Provost Gordon Wishon, the University’s chief information officer. “It’s about how we access, process, transmit and store sensitive information in all forms. It certainly covers laptop and desktop computers, but also includes how we deal with paper records, or whether we’re discrete in telephone conversations that involve sensitive data,” he says. “We’ll be taking steps to address all of these areas of risk through the University Information Security Program.”