Home > News

Metro takes steps to tighten security of campus network
By David Pollan
dpollan@mscd.edu

To protect students and faculty from further incidents compromising their personal information, Metro has begun to implement new policies and procedures intended to significantly increase the security of sensitive data stored on Metro’s computer systems.

Following the theft of a laptop containing the names and Social Security numbers of 93,000 current and former students, Metro hired Business Consultants, Inc. to investigate and review the college’s policies and information technology (IT) systems. BCI has completed its assessment and made the necessary recommendations to the school to improve the security of personal information.

“It was a really complete process to let the school know of any issues they may have had and how they could rectify the situation,” said Brad Mathers, security consultant for BCI.

Metro President Stephen Jordan announced the initial steps he directed IT to take to tighten system security in response to BCI’s recommendations August 1. Jordan focused on the most critical areas of exposure identified by BCI.

“As a result of these recommendations, beginning immediately, IT will implement changes in systems, policies and procedures that will significantly increase the security of personal data stored on college systems,” Jordan stated in a letter to all faculty, staff and students. “Many of these changes will have an impact on your access to and use of college computer resources.”

The steps IT will be taking include making stronger restrictions on employee access to data in Banner, employing strict limits on the downloading of sensitive data, requiring data encryption, strengthening password requirements and implementing shortened session time-outs.

“The steps to solve the most critical areas of exposure have already been set in motion,” said Metro spokesperson Cathy Lucas.

According to Lucas, at the beginning of the fall semester, the IT department will also begin scanning laptops and desktops for confidential data, starting with those of the 200 Metro employees with Banner access. After the computers of the Banner users are scanned, IT will then begin scanning those of faculty and staff. If confidential data is found on these computers, and is authorized, the data will be encrypted.

Lucas estimated that all new policies, procedures and necessary training will be implemented by the end of the 2006-2007 school year.

“IT will notify the college community and publish the new policies and procedures as far in advance of their implementation as possible and will provide education and training when necessary,” Jordan said.

According to Jordan, some of the changes being made will require users to modify their computing habits, but the changes are necessary to secure the computer environment.

“It is critical that we accept and adhere to these changes in order to mitigate the risk of another incident similar to the one we experienced in March,” Jordan said.

R.M. Tracy, co-founder and president of Privacy Trust Group, has much expertise in the area of identity theft and prevention. Privacy Trust Group is an organization that helps consumers and businesses protect themselves from identity thieves. Tracy was also a former FBI special agent.
According to Tracy, Metro’s plan is only part of what is needed.

“What they are doing is a good start and needs to be done,” she said. “But it goes beyond just computer systems and databases. It needs to be an organization-wide approach that covers every aspect of the organization, not just IT.”

If the college does this, then Tracy agrees it will diminish the risk of a similar situation from happening again.

Overall, the stolen laptop incident has cost Metro $500,000, Lucas said. This cost entailed everything BCI did during their investigation, which included the initial assessment of the crisis, the call center and the evaluation of the policies at the time.

According to Mathers, from March to May BCI did a complete audit of Metro’s network infrastructure and databases. The assessment focused mainly on the IT department and reviewed current policies and procedures as well as proposed new ones. BCI checked for any possible security issues and did a complete IT security assessment of the campus.

Mathers declined to specify what problems BCI might have found or recommendations they made.