Re: Chapel Hill researcher demoted after security breach

[John Ladwig <John.Ladwig () CSU MNSCU EDU>]

I've seen tensions between grants-funded IT projects and central IT for many years, and can read much experience 
between the lines of the paragraphs in the article.  At almost every resourcing level I've been exposed to, central IT 
isn't able to accommodate in a timely manner all the varying needs of individual research projects at the desired (or 
even the necessary) service levels.  I came to security (and later to central IT services) through research-funded IT 
system administration, mostly because I figured it'd be less work to keep the Bad Day from happening than it'd be to 
clean up after it.

For the record, I don't believe it'd be possible to do justice to the relevant facts in this case in less than a short 
monograph, if even that short.

However, I'm particularly taken by this paragraph:

  "The provost also accused her of assigning server-security duties to an inexperienced staff member, who failed to 
install important patches and upgrades, and of not providing the staff member with the training needed. Ms. Yankaskas 
countered that the staff member, who has since left, had worked for the university's technology office and that the 
employee never submitted a formal request for additional training."

So, did the PI honestly believe that the staff member actually had experience relevant and sufficient to the security 
demands of the project's IT systems?  Or was this the most experienced person they could afford to hire?  I recall that 
grants were fairly restrictive back in the day, allowing grant funds to purchase equipment and software, and to fund 
graduate researchers to work on the science, but specifically disallowed funding of support services that would allow 
for some technical continuity in the vagaries of complex software from one graduate student to another, much less 
system-administration functions.  I'd be surprised if that's actually gotten any better in the last 15-20 years.

Did the PI hire someone who used to work in helpdesk or some unrelated technology area?  A database programmer suddenly 
saddled with Oracle quarterly CPU matrices for the first time?   I regularly see evidence of non-IT folks assuming that 
anyone who knows anything about (any part of)  IT is comprehensively knowledgeable and competent in all areas.  From 
this article, it seems like the Provost is of the opinion that the IT person wasn't appropriate.   

The inclusion of the qualifying "formal" to "request for additional training" stands out as a possible danger sign.

I'm passing this article around in various areas as an excellent case study for local table-topping.

   -jml



> > > Gene Spafford <spaf () CERIAS PURDUE EDU> 2010-10-07 15:43 >>>
There is a basic issue here that goes somewhat beyond IT that cuts across campus.   When researchers conduct 
experiments that require approval of IRB (Institutional Research Board) approval, a component of that involves ethical 
treatment of subjects.  When the subjects are humans, that includes issues of privacy, informed consent, security of 
records, protection and preservation of data, and other issues.  

Too often the people on the IRBs as well as the scientists making the requests simply don't understand the issues and 
threats.   Thus, we end up with cases similar to the one at UNC where sensitive data is potentially compromised in one 
way or another.

There is plenty of blame to go around -- the researchers, who are using technology they don't fully understand and thus 
are unable to control and protect; the IRBs, for not providing appropriate oversight and staffing to ensure that issues 
of privacy, data preservation, data integrity, accuracy, deidentification, etc; and campus IT staff for not asserting 
some leadership in providing in these areas.

It is really unfair to blame the researcher for 100% of the problem at UNC if she was following an approved protocol 
and security plan, but that was not something that was described in the news article.

Expect to see more such incidents as time goes on.  Fines and losses are likely to increase, and institutions are not 
going to take them on all by themselves.

--spaf