Hurricane Katrina also spurred technology gurus to better protect school servers after many schools in the Gulf region had to shut down because the information needed to run the school was not backed up.

Weber State University and the University of Utah both received wake-up calls in the past five years as hackers broke into financial aid files at WSU in 2004 and into a former-employee database at the U. a year later. Leaders at both schools don't believe any identity theft occurred as a result of the hackings, but WSU chief information officer Don Gardner said it was an eye-opener.

"We're very concerned about student personal data. We have an obligation to protect personal information, and we want to make sure that that happens," Gardner said. "We also want to make sure that our network and computing resources are not misused by people who would like to use them to do illegal things."

At WSU, Gardner said that since the school's hacking scare, a security consultant has helped the school hire a certified security officer and update its policies. School leaders also beefed up their intrusion detection and began a system of continual network monitoring.

"Obviously when you do that you're going to find there are some weaknesses, but in general we found that we were not in terrible shape," he said. "We've really tightened things down in a number of different ways."

To better protect the databases of Utah's institutions, higher education leaders will also ask the state Legislature for roughly $1 million to back up all of the information at the state's backup site in Richfield. That backup site moves the information away from earthquake dangers along the Wasatch Front and would allow schools to continue operating after a natural disaster.

What the security audit recommends for colleges

• All institutions will have information technology security plans.

• All institutions will change their IT security policies to include a list of 19 major protocols.

• Each campus will designate an IT security director who has been trained and certified.

• Institutions will establish a disaster recovery and system backup site in the existing Richfield data center.

• All institutions will participate in organized security initiatives.

• The System of Higher Education Security Committee will draft a best practice security process for dealing with security incidents.

• IT security policies should include restrictions on the storage of Social Security numbers and other private information on computers.

• The chief information officer will organize security audit teams and will audit the security policy of each institution at least annually.

---

E-mail: estewart@desnews.com