Audit urges better online protection

System schools need better confidential information security online, according to UW System findings

By: Jacob McCormick

Posted: 4/14/08

Over four million students, faculty, staff and alumni records were involved in 190 college and university database breaches around the country over a three-year span, according to a recent internal audit by the UW System.

Because of this, the audit recommends that System schools do more to protect the confidential information stored on their system databases.

System spokesman David Giroux said the audit was conducted by the System itself and is part of routine checks of policies and procedures.

"This was not a security test," Giroux said. "This was internal auditors examining written policies and procedures to make sure we have the right people and staff positions responsible for data security."

The audit recommends that campuses, such as UW-Eau Claire, create an office for an information security officer to protect the increased risk of unauthorized disclosure of confidential data as a result of the increased use of information technology.

Additionally, while every System school has a process for dealing with security incidents, only two institutions have formal, written procedures documenting the process for responding to the problem, according to the report, which recommends the schools work to develop written policies and procedures.

With the increasing and changing nature of threats, according to the audit, UW institutions will need to increase attention to securing their computer networks and confidential data to mitigate threats to UW computer networks and private data.

Giroux said the culprit isn't always trying to find Social Security numbers or access someone's personal information, as it can be people using the network to distribute illegal music or movies.

"(The breaches) take several forms," he said, "but that's why we do internal audits - it's an opportunity to sharpen procedures and check ourselves against the best practices in the industry."

UW-Eau Claire police chief David Sprick said the department doesn't see a lot of identity theft cases stemming from security breaches on campus. He said the majority of problems come from credit card fraud when someone gets involved in an online scheme.

"It's not what we'd call prevalent or widespread," Sprick said. "If people take reasonable precautions, they of course reduce the risk of victimization and potential jeopardy to their finances."

Senior Becky O'Brien said she isn't extremely worried that her personal information will be compromised in Eau Claire's system. She also said she has used her credit card online and is more worried about a Web site's credibility.

"I trust the school to take care of my information," she said. "I'm more concerned in making sure an online seller has a secure Web page."

Despite the recommendations for increased computer safety precautions, Giroux said they can only minimize, not eliminate, the problem of IT security.

"There are instances where we know we've had data security issues and they aren't going to go away," he said. "Nothing we do will stop people from trying to reach data networks and occasionally people succeed."

Still, Giroux said data security is a significant concern to everyone as people continue to give out more information to different networks.

"Nowadays, we have more and more personal data stored at various computer systems," he said. "It's definitely something we need to continue to keep an eye on."