Interesting People mailing list archives
Yet another university data breach; Feinstein to demand encryption
From: David Farber <dave () farber net>
Date: Wed, 06 Apr 2005 16:13:54 -0400
------ Forwarded Message From: Ross Stapleton-Gray <amicus () well com> Date: Wed, 06 Apr 2005 10:57:18 -0700 To: <dave () farber net>, johnmac's living room <johnmacsgroup () yahoogroups com> Subject: Yet another university data breach; Feinstein to demand encryption The SF Chronicle's David Lazarus writes on yet another university data breach, this time at UC San Francisco: http://sfgate.com/cgi-bin/article.cgi?f=/c/a/2005/04/06/BUGEOC3L5N1.DTL (Disclaimer: I was the first and only IT Security Officer (a policy position) in the UC Office of the President; I was hired by a CIO who'd been recruited away from the Pentagon, but who left UC shortly after I was hired... my position was eliminated after about a year. I do not think I was effective, largely because management was unwilling to accord IT security any real support. Information management in a university environment is chaotically crazy by nature, but decisions were also made that demanding that we conform to our own IT management policies was impermissibly "rocking the boat.") The new wrinkle in the Lazarus article is the news that California Senator Dianne Feinstein will "introduce federal legislation within the next few days requiring encryption of all data stored for commercial purposes. "What this shows is that there is enormous sloppy handling of personal data," Feinstein said." It may be that UCSF is the final straw, but it feels like this is the ChoicePoint breach talking. Hopefully any (useful) requirements in a Feinstein bill aren't confined to "data stored for commercial purposes," unless she's willing to define that to include such things as university admissions data (a la the previous UC Berkeley breach). But I say "useful"... merely mandating, "data must be encrypted," is like finding spoiled food in the 'fridge, and mandating that all foods will be in containers, without an acknowledgement that corrugated cardboard is different from plastic, that foods have shelf lives, and that some require special handling, e.g., child-proof tops on some pharmaceuticals. And goodness knows a poor implementation of encryption can be worse than none at all. At the root of this, really, is more a problem of records management than one of IT security. What I saw in my year at UC was local IT security administrators fighting fires (e.g., installing anti-viral software, tending to IDSes) in an abandoned and decrepit building: records management was so woefully neglected that one couldn't identify all of the sensitive information holdings, let alone who was responsible for them; awareness of responsibilities of those who owned sensitive records was minimal; tools for protecting sensitive information, e.g., deidentifying personal information (there's far less of a problem in losing 100,000 records, if each record is tagged with a pseudonymous serial, instead of a name and SSN, say), absent; etc., etc. The Chancellor of UC Berkeley has announced that he'll "engage one of the nation's leading data-security management firms to conduct an immediate external audit of how the campus handles all personal information," this in response to their own March 11th breach (when a laptop with 100,000 personal records was stolen): http://idalert.berkeley.edu/chancellorletter.html I think the scope of what's found will surprise him. As another marker, I was intrigued while at UC to see a marked difference in paper vs. electronic, in the area of forms soliciting personal information. By California law, such forms are required to include something like eight different information elements, describing what the information collected is to be used for, etc. If you find *paper* forms reproduced on the Web in PDF, on various UC campus sites, they do bear those required elements. If you find forms created for the Web, they often do not. Why? Almost certainly because the former have passed through well-worn, formal channels to publish administrative forms; the latter were thrown up by anyone with a bright idea, a need and access to a Web server. Ross ----- Ross Stapleton-Gray, Ph.D. Stapleton-Gray & Associates, Inc. http://www.stapleton-gray.com ------ End of Forwarded Message ------------------------------------- You are subscribed as lists-ip () insecure org To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- Yet another university data breach; Feinstein to demand encryption David Farber (Apr 06)