Today @ Colorado State has been replaced by SOURCE. This site exists as an archive of Today @ Colorado State stories between January 1, 2009 and September 8, 2014.

Working at CSU

CSU practices safe networking

June 4, 2009

Concerned about IT security on campus? Vice President Pat Burns discusses policies and procedures for ensuring the safety of sensitive data.

Dear CSU Community:

With the advent of on-line benefits, a few individuals have expressed concern regarding some personal, sensitive data on central systems including Social Security Numbers (SSNs). This communication outlines our policies and procedures for ensuring such data are protected.

University data are of four types:

  • Private - data accessible only by the individual and no one else. This includes passwords, which should never be shared with anyone.
  • Restricted - data that are hidden and accessible only to the individual and to a very small number of selected staff who need access for business purposes. This includes Social Security Numbers and other personal data (benefits plans, etc.).
  • Protected - all other data that are not publicly available, or 'open.'
  • Open - this encompasses a very small set of data, typically directory information (phone numbers, departmental affiliation, and e-mail addresses). These data are open only via the web and not accessible in bulk.

All central data are multiply protected using a 'defense in depth' layered approach, first by being behind a secure central firewall, and second by being on a central database that has an additional layer of security.

Third, access to our most sensitive systems is restricted to on-campus users, and fourth, requires a strong password for access. Fifth, sensitive data transmissions are either isolated between specific systems and otherwise inaccessible, or encrypted for security. Sixth, all client computers are protected via anti-virus and anti-spyware and security updates. We follow all current best practices for IT security and privacy, which are continually updated.

There is no general area of central IT to which we have devoted more targeted attention over the past five years than to IT security and privacy, and this emphasis will persist.

All IT services and systems implemented centrally are subject to a security, privacy, and risk analysis before being implemented. In addition, security and privacy on central IT systems are subject to external audit annually, internal audit periodically, and federal audit about biennially.

Compliance

Moreover, numerous federal and state laws require personal data to be secured and protected, and we are compliant therewith. We are required by state law to update our IT security plan annually and submit it to the State's Chief Information Security Officer.

I invite you to peruse our IT Security Policy (version 10) that is available via the ACNS IT Security home page.

Greatest risks

Indeed, the greatest risks are associated with Social Security Numbers and Credit Card Numbers (CCNs). SSNs must be kept by CSU (and by all businesses) for business purposes (notably federal income tax reporting), and at CSU are stored extremely securely. We are in the third year of conducting exhaustive scans for SSNs and purging them from our non-central IT systems.

Our analysis this year indicates that SSNs on non-central IT systems have been virtually completely eliminated. Several years ago, credit card processing was outsourced such that central IT no longer keeps CCNs. We comply fully with the Payment Card Industry Data Security Standard.

Personnel and access

Finally, our IT security policy makes individuals who are permitted to access central data responsible for accessing only the minimum amount of data necessary for business purposes. And a new data access model is being implemented that will provide additional layers of management attention to security and privacy.

Data security and privacy are taken very, very seriously by all IT staff at the University, where a culture has been engendered of a high degree of security and protection of individuals' privacy.

I hope this addresses your concerns. Please do not hesitate to contact me should you have any questions.


This message originally was posted via e-mail to campus on May 28 by Pat Burns, vice president for Information Technology, interim dean of Libraries, and professor of mechanical engineering.