Records: Confidentiality/Privacy and Access
We will follow applicable laws and University policies when accessing, using, protecting, or disclosing records-
This means that each member of the campus community who handles, maintains, or discloses records or other information
- Gains familiarity and complies with computer security, and privacy laws and policies
Perspective: A Real World Illustration
An April 2003 Austin American-Statesman (Texas) newspaper article reported on numerous information security shortcomings and policy violations at a public university located in Texas. Although the nearly two dozen audits conducted over the past five years found no gaping holes in security, sensitive information could be placed at risk.
Reports by the university's internal audit office, which conducted 23 reviews, said problems generally were corrected while the audits were under way or were scheduled to be corrected promptly.
The auditors examined computer operations ranging from payroll systems to student records. An employee training database that was breached in late February and early March, resulting in the downloading of 55,200 names and Social Security numbers from another database linked to the training records, did not rank high enough to warrant auditing, however.
Federal prosecutors have charged a junior at the university with unauthorized access to the university's computer system and improper use of a Social Security number. Authorities say no nefarious use apparently was made of the downloaded information.
Among the problems cited in the audit reports:
* Authorizations to view and update data concerning student aid, student billing, donors and alumni were sometimes not revoked promptly when people left university employment or changed jobs.
* Backup systems needed to be improved so crucial services could continue in the event of a power outage, tornado, bombing or other disaster.
* Password requirements and storage practices for students and employees needed to be strengthened to reduce the risk of use by impostors.
* Security awareness training was needed for employees, along with stepped-up efforts to ensure that all students and employees sign a statement acknowledging acceptance of policies and procedures.
A May 1998 audit report that looked broadly at the university's many-layered and decentralized computer system said ongoing scrutiny not only makes sense but is required. State law directs agencies, including state universities, to take measures to protect against unauthorized or accidental disclosure, modification or destruction of electronic information.
"The university's information resources are accessible from around the world at any time. This expansion of connectivity and accessibility creates an infinite number of exposure points that can place critical university information resources at risk," the auditors warned in that report.
Last Revised 5/23/2006