University Park, Pa. — During the University Faculty Senate meeting Tuesday afternoon (Sept. 9), Kevin Morooney, vice provost for Information Technology, presented a special report outlining a plan for building a culture of computer safety at Penn State and protecting the privacy of University community members. The two-phase process, which is in support of Penn State's Information Privacy and Security (IPAS) initiative, includes the location and protection of personally identifiable information on University-owned computers and full-disc encryption to protect laptops that are stolen or lost.
"A major challenge facing every university is the need to protect its sensitive data -- personal information about faculty, staff, students and research subjects -- from accidental loss or from deliberate compromise," said Morooney. "Since 2002 more than 12,000 computers at Penn State have been broken into, and the intensity and the sophistication of online threats continues to rise. As long as there is a market for personally identifiable information, there will be attacks on computers and networks."
Morooney added that more than 30 laptops have been lost or stolen at University Park alone since January. One researcher inadvertently disclosed the Social Security numbers of more than 8,000 research subjects -- making this information available to all the major search engines -- and four Penn State departmental servers were hacked in June and were found to be distributing malicious software.
It is not just universities that are experiencing the theft of sensitive information or the attacks on their computer networks. Across the nation, businesses, health-care providers and governments, along with universities, have reported a 69 percent increase in data breaches in the first half of 2008, according to a recent study by a nonprofit group, the Identity Theft Resource Center. The breaches involved almost 17 million consumer records.
"Our information environment is under attack several times a second each and every day, so we need to respond with increased efforts to protect privacy," Morooney stated. "And as a research university, we need to make sure that what we do is an unobtrusive as it can be to scholarship."
The scanning and encryption effort at Penn State also has also become essential due to the Pennsylvania Breach of Personal Information Notification Act, which mandates that the University notify anyone whose personally identifiable information is disclosed when a computer is lost or compromised. Costs for this type of notification can get into the millions, depending on the number of individuals compromised, according to some estimates. As an example of the extent of the problem, during Penn State's scanning pilot this year, 3169 machines were scanned and 1619 had personally identifiable information on them.
Kathy Kimball, senior director of ITS Security Operations and Services, explained that Penn State has been actively seeking input from throughout the University community, as the Information Privacy and Security plans unfold. Kimball contributed to the senate presentation along with Jeff Kuhns, associate vice provost for information technology, and David Lindstrom, chief privacy officer of the University and Professor of Practice in the College of Medicine.
"We value input from the University," Kimball said. "Comments from this meeting will be carefully considered. This is an opportunity to create a dialog about protecting our information assets at Penn State."
Since the plan currently involves periodic reviews by IT personnel on computers within each of the University's departments and units, the presenters stressed that the reviews will be exclusively limited to looking for numerical codes that resemble Social Security, credit card and bank routing numbers, as well as the presence of malicious software that might enable the compromise of sensitive data. Reviews will be accomplished with the full knowledge of everyone involved and file content, such as teaching materials, research materials, financial information, letters of recommendation and personnel files, will remain untouched.
"We want to emphasize the scanning effort is not designed to highlight personal files or other material aside from the numerical patterns we have just described," Kimball said. "The ITS Security Operations and Services team has already been able to help many units at Penn State go through the review for sensitive data and we can report that the process has gone very well. In fact, it has resulted in a reduction of unprotected, personally identifiable information on Penn State networks.
ITS Security Operations and Services staff will be working closely with the technology staff in each Penn State area to ensure that sensitive data will be encrypted or eliminated if no longer needed in the coming months. For questions or concerns, contact the ITS Security Operations and Services team directly at security@psu.edu, or visit the Frequently Asked Questions (FAQ) section of the IPAS Web site at http://ipas.psu.edu.
For information from the Joint meeting of Computer Information Systems and Faculty Affairs, visit http://imagearchive.psu.edu/displayimage.php?pos=-22199 online.