Intercom

intercom home  |  advanced search  |  about intercom  |  alerts  |  faq  |  help  |  rss  

user functions

Log into intercom now

Current Ithaca College community members may contribute stories and comments as well as view additional topics by logging in.

Reset My Password

roundup

E-mail
Roundup

Sign up to receive a summary of Intercom headlines via e-mail three times a week.

Information Security

Contributed by Karen McGavin on 09/06/2006 

Most members of our campus community have probably read or heard about several high-profile breaches of information security recently at private corporations, government agencies, and other institutions of higher learning.

In this modern era where we transact more and more business online, security of our computer systems and the integrity and confidentiality of the information they contain has become increasingly more important. So much so, in fact, that it was the number one priority initiative recommened by the Information Technology Planning and Advisory Committee (ITPAC) in their IT Strategic Plan submitted to the president last year. Information Security is also a high priority of the college auditors and the audit committee of the Board of Trustees.

Over the next few months, Information Technology Services will be announcing new programs aimed at increasing the security of campus information systems. Among these will be instructions about how to secure email messages during transmission and stronger password policies for access to our most sensitive information systems. While every effort will be made to make these programs as transparent and easy to implement as possible, they may still require some small change in the way many of you are used to doing business.

We hope that you will accept these changes in the spirit in which they are made, as necessary steps toward better security for our most sensitive information systems and data. While much of the onus of responsibility for securing college information assets rests on the shoulders of Information Technology Services, all of us must ultimately bear a share of that responsibility as we use this information in the day-to-day performance of our duties. We ask your patience and cooperation with this important endeavor. Thank you.

Information Security | 2 Comments |
The following comments are the opinions of the individuals who posted them. They do not necessarily represent the position of Intercom or Ithaca College, and the editors reserve the right to monitor and delete comments that violate College policies.
Refresh view
Information Security Comment from kwikoff on 09/07/2006
Understood, always remembering that there is a basic dichotomy here -- convenience vs. security. The more secure a system, the less convenient to use; the more convenient, the less secure. ITS folks have to find a balance which is stringent enough in its security to protect sensitive information while not making use by authorized users so cumbersome to be a total pain.

I'd also note that it is rare for information to be hacked in transmission -- it happens, but most of those news stories we all have been hearing are about how information was stolen out of the server on which it was stored, not while it was being transmitted. So, it makes no difference if you send your credit card info or your social security number online via a secure connection, or if you give it over the phone, or you visit the store in person and use your card -- the thing to worry about is how well is that other party protecting your sensitive information once they have it on their servers and in their system. THAT is the point of weakness which needs the most protecting. Online businesses have the whole transmission thing down tight -- but are they storing your info securely once they have it?

Also a note from a recent experience: my bank recently instituted "Two-Factor" sign-ons for accessing bank accounts online. That means that in addition to a user id and a password (of at least 8 characters, with at least one letter and one number and which is changed every 3 months), now there is also a matrix -- a grid of numbers with axes of letters and numbers. Below the id/password login, a random selection of three of these (such as A5, G3 and F2, for example) must also be entered.

While this new practice does make the system harder to hack into, it ignores the fact that security is not only a matter of technology, but also of human interactions and behavior. With this matrix, there is no way the users are ever going to memorize that grid, so we are forced to print out a copy (maybe more than one, in case one gets lost) and carry it around with us. Having something printed out and carried around significantly DECREASES security -- but there's no other practical way. All the bank has done is to shift responsibility off themselves onto the customers, who are hardly prepared or placed to manage security of this sort for themselves. Despite increased security on the technology end, my bank account is now LESS secure, thanks to these new measures.

More system breaches occur because of physical access -- such as looking over a secretary's shoulder and seeing the password s/he has taped to his/her monitor so s/he won't forget it -- than from random hackers hacking in remotely. A password so tough and/or changed so often it has to be written down is actually LESS secure -- because of the natural human factor.

As security plans go forward, I hope our ITS will keep the human factor well in mind.

Respectfully,

Karin Wikoff, Electronic Resources Librarian (with some grad school training in network security, and a tiny bit of experience, but not the expertise or experience of our ITS staff)

Information Security Comment from efuller on 09/07/2006
ITS is keenly aware of the apparent dichotomy between security and convenience and the difficulty of striking an appropriate balance especially in an environment that values academic and intellectual freedom and the free flow of information. Nevertheless, there are compelling reasons for enhancing security practices, among them being an increasingly hostile Internet, regulatory compliance, and increased awareness and scrutiny of information security practices by external auditors and the Board of Trustees. ITS will make every effort to ensure that the security practices we put in place will not be onerous and that we will not unnecessarily sacrifice ease of use for the sake of security.
------------
Ed Fuller
Associate Vice President for
Information Technology Services