Educause Security Discussion mailing list archives
Re: Chapel Hill researcher demoted after security breach
From: John Ladwig <John.Ladwig () CSU MNSCU EDU>
Date: Thu, 7 Oct 2010 16:28:24 -0500
I've seen tensions between grants-funded IT projects and central IT for many years, and can read much experience between the lines of the paragraphs in the article. At almost every resourcing level I've been exposed to, central IT isn't able to accommodate in a timely manner all the varying needs of individual research projects at the desired (or even the necessary) service levels. I came to security (and later to central IT services) through research-funded IT system administration, mostly because I figured it'd be less work to keep the Bad Day from happening than it'd be to clean up after it. For the record, I don't believe it'd be possible to do justice to the relevant facts in this case in less than a short monograph, if even that short. However, I'm particularly taken by this paragraph: "The provost also accused her of assigning server-security duties to an inexperienced staff member, who failed to install important patches and upgrades, and of not providing the staff member with the training needed. Ms. Yankaskas countered that the staff member, who has since left, had worked for the university's technology office and that the employee never submitted a formal request for additional training." So, did the PI honestly believe that the staff member actually had experience relevant and sufficient to the security demands of the project's IT systems? Or was this the most experienced person they could afford to hire? I recall that grants were fairly restrictive back in the day, allowing grant funds to purchase equipment and software, and to fund graduate researchers to work on the science, but specifically disallowed funding of support services that would allow for some technical continuity in the vagaries of complex software from one graduate student to another, much less system-administration functions. I'd be surprised if that's actually gotten any better in the last 15-20 years. Did the PI hire someone who used to work in helpdesk or some unrelated technology area? A database programmer suddenly saddled with Oracle quarterly CPU matrices for the first time? I regularly see evidence of non-IT folks assuming that anyone who knows anything about (any part of) IT is comprehensively knowledgeable and competent in all areas. From this article, it seems like the Provost is of the opinion that the IT person wasn't appropriate. The inclusion of the qualifying "formal" to "request for additional training" stands out as a possible danger sign. I'm passing this article around in various areas as an excellent case study for local table-topping. -jml
Gene Spafford <spaf () CERIAS PURDUE EDU> 2010-10-07 15:43 >>>
There is a basic issue here that goes somewhat beyond IT that cuts across campus. When researchers conduct experiments that require approval of IRB (Institutional Research Board) approval, a component of that involves ethical treatment of subjects. When the subjects are humans, that includes issues of privacy, informed consent, security of records, protection and preservation of data, and other issues. Too often the people on the IRBs as well as the scientists making the requests simply don't understand the issues and threats. Thus, we end up with cases similar to the one at UNC where sensitive data is potentially compromised in one way or another. There is plenty of blame to go around -- the researchers, who are using technology they don't fully understand and thus are unable to control and protect; the IRBs, for not providing appropriate oversight and staffing to ensure that issues of privacy, data preservation, data integrity, accuracy, deidentification, etc; and campus IT staff for not asserting some leadership in providing in these areas. It is really unfair to blame the researcher for 100% of the problem at UNC if she was following an approved protocol and security plan, but that was not something that was described in the news article. Expect to see more such incidents as time goes on. Fines and losses are likely to increase, and institutions are not going to take them on all by themselves. --spaf
Current thread:
- Chapel Hill researcher demoted after security breach Nicole Kegler (Oct 07)
- Re: Chapel Hill researcher demoted after security breach David Escalante (Oct 07)
- Re: Chapel Hill researcher demoted after security breach Doty, Timothy T. (Oct 07)
- Re: Chapel Hill researcher demoted after security breach Allen Barrett (Oct 07)
- Re: Chapel Hill researcher demoted after security breach Gene Spafford (Oct 07)
- Re: Chapel Hill researcher demoted after security breach John Ladwig (Oct 07)
- Re: Chapel Hill researcher demoted after security breach Doty, Timothy T. (Oct 07)
- Re: Chapel Hill researcher demoted after security breach David Escalante (Oct 07)
- Re: Chapel Hill researcher demoted after security breach Plesco, Todd (Oct 07)
- Re: Chapel Hill researcher demoted after security breach Martin Manjak (Oct 08)
- Re: Chapel Hill researcher demoted after security breach Koerber, Jeff (Oct 21)
- <Possible follow-ups>
- Re: Chapel Hill researcher demoted after security breach Dennis Bohn (Oct 22)