Utah's universities are working to protect students' personal information, but some schools need to get their policies up to date to block hackers and comply with federal law, according to a report obtained by the Deseret Morning News.
The first comprehensive information technology audit for the state system of nine public colleges and universities reveals a need for more formalized security policies to protect private information ranging from Social Security numbers to health data.
"Because of the open nature of universities, they've generally been a little bit more at risk. They can't be as open as they used to," said Steve Hess, chief information officer for Utah's System of Higher Education, who spearheaded the report.
Without clear security policies, Hess said, Utah's schools could be vulnerable to hackers and at risk for violation of the federal Family Educational Rights and Privacy Act, which bars colleges from releasing student records that include personally identifiable information.
While Hess said there were no glaring gaps in the networks of most Utah schools, there is a need for better training of certified security officers and more streamlined policies on how to monitor the system's vulnerability.
Currently, some schools rely on uncertified operations staff to perform security functions, the report said.
The audit recommends a systemwide update of each school's information technology policy to include at least 19 protocols such as how to report security breaches and acceptable use of technology. While most schools have security procedures in place, Hess said, many have not concretely included them in the school's information technology policy.
In particular, a majority of Utah institutions did not have clear policies controlling student identifiers in place of Social Security numbers and personnel clearances. About half of the schools did not have formal policies on security monitoring and enforcement.
The audit does not specify which universities are lacking formal protocols.
"They're just catching up to get those policies updated. That doesn't mean that they don't have them, they just need to get them into their policy," Hess said. "Everybody who has a desktop is at potential for some breach in security; a policy just lays down the law of the land."
Since Sept. 11, 2001, Hess said, universities across the nation have been re-evaluating their security processes, fueled by the fear that a terrorist hack could rob students of their identities and schools of their security.
Hurricane Katrina also spurred technology gurus to better protect school servers after many schools in the Gulf region had to shut down because the information needed to run the school was not backed up.
Weber State University and the University of Utah both received wake-up calls in the past five years as hackers broke into financial aid files at WSU in 2004 and into a former-employee database at the U. a year later. Leaders at both schools don't believe any identity theft occurred as a result of the hackings, but WSU chief information officer Don Gardner said it was an eye-opener.
"We're very concerned about student personal data. We have an obligation to protect personal information, and we want to make sure that that happens," Gardner said. "We also want to make sure that our network and computing resources are not misused by people who would like to use them to do illegal things."
At WSU, Gardner said that since the school's hacking scare, a security consultant has helped the school hire a certified security officer and update its policies. School leaders also beefed up their intrusion detection and began a system of continual network monitoring.
"Obviously when you do that you're going to find there are some weaknesses, but in general we found that we were not in terrible shape," he said. "We've really tightened things down in a number of different ways."
- National Weather Service radar mistakes swans...
- Lost recording of an interview with 1867...
- Many Mormon missionaries who return home...
- Utah husband wins 'Most Memorable Moment'...
- Supervolcano hidden in plain sight in Utah...
- Passerby was mistakenly used as translator in...
- Better than a raise: The smallest thing you...
- Young adults are faced with risky decision to...
- Pay increase for Gov. Herbert, other... 67
- Legal analysis supports Utah's law on... 36
- Do Utah high school students need four... 29
- Supervolcano hidden in plain sight in... 19
- Rare snowstorm traps I-15 motorists... 14
- John Swallow lost computer hard drive... 12
- Better than a raise: The smallest thing... 11
- 'Deseret News Sunday Edition' looks at... 10