December 1, 2010 | Michael Kirk

New Director Leads Data Security Push

In the wake of two recent breaches, UConn is embarking on a major IT security initiative.

Pufahl7633_lg
Jason Pufahl, chief information systems security officer. Photo supplied by UITS

In September, Jason Pufahl was named chief information systems security officer for the University of Connecticut.

His appointment to the newly-created position could not have come at a more appropriate time: in August, a laptop computer was stolen from UConn’s West Hartford campus, exposing the names and Social Security numbers of thousands of applicants to the campus – a serious security breach. In October, it was discovered that the names and Social Security numbers of 23 former students could be found on the Internet, after a faculty member mistakenly stored the list in a way that was not secure.

In both instances, the University notified all those who were affected and offered to pay for two years of identity credit monitoring coverage through the Debix Identity Protection Network. But it was clear to Pufahl, Chief Information Officer David Gilbertson, and President Philip Austin that a major information security initiative was needed to ensure that personal data on campus systems is safe and secure.

“The incredible growth of electronic data storage in the last 15 years has sometimes outpaced the ability of institutions to ensure its total security,” said Pufahl, who originally came to UITS in 2004 as a security analyst. “There are too many pockets of data and personal information sitting exposed that have sometimes just been forgotten about or not properly secured.”

In the case of the security breach discovered in October, the student information had been stored a decade ago. In the August breach, the laptop was apparently in an unlocked cabinet and not encrypted.

In announcing the data security initiative at UConn in October, Austin wrote: “… I have concluded that UConn must, in the next several months, embark upon a comprehensive and deliberate effort to address computer security concerns. Our focus will be on identifying our vulnerabilities and ameliorating them, both with respect to previously acquired and stored data and data that will be acquired and stored in the future.”

The program’s initiatives will focus on the following primary risk areas:

  • Compliance – Ensuring the University is taking the necessary steps to protect regulated information such as medical and credit card data;
  • Education and Training – Ensuring appropriate security training is available for all faculty, staff, and students;
  • Data Loss Prevention – Reducing the risk of data loss due to loss, theft, or technology failures;
  • Unauthorized Electronic Access – Protecting resources from network-based threats;
  • Unauthorized Physical Access – Preventing unauthorized admission to sensitive areas of the University;
  • Business/Operational Continuity – Ensuring that critical University systems are available and University business can continue during emergency situations;
  • Identity and Access Management – Systems to ensure that people who need access to systems are the ones that have access to those systems;
  • Security Governance – Processes to ensure security decisions are understood and appropriate.

The plan is to divide the project into four phases: the first and second phases will entail improving the administrative processes of storing and accessing data. The third and fourth phases will involve deploying technology that will identify unsecured data in all UConn computers and systems. Parts of the various phases will run concurrently with one another.

According to Pufahl, the process of implementing the initiative will require a significant investment of time and resources – and depend on the cooperation and understanding of the UConn community.

“The first and second phases will largely be behind the scenes and won’t require any active participation by most students and employees,” he says. “For the final phases, we will need the campus community to work with us to ensure we can identify and secure data, such as Social Security numbers, that isn’t where it should be or is somehow exposed.”

The technology used in the second two phases will be able to detect information like Social Security and credit card numbers that are vulnerable on computers and servers. Knowing where that sensitive data is will allow UITS and the individual or department that own it to either scrub it from the system or store it securely.

“Our sole concern here is locating and protecting data,” says Pufahl. “It is not about assigning blame or responsibility to anyone for not storing it correctly or not knowing it’s there. All we care about is making sure the information is secure.”

Pufahl expects the initiative to begin in January 2011.

In the meantime, he suggests everyone at UConn visit the UITS information security page and make sure they are doing everything they can to keep their computers and information secure: