Information Security Efforts


I am writing to make you aware that OIT is in the process of further ramping up its information security efforts.  This is in response to increasing threats; we are acting in collaboration with our colleagues in Health Affairs and across UC. We have had a strong security focus over the long haul, and are in generally good shape.  Despite this, we have much to do.

We are raising our own internal priority of security enhancement efforts, increasing the robustness of our datastore inventories, conducting an additional risk assessment of systems with sensitive data, reviewing access paths, running additional vulnerability scans, and taking other steps.  We plan to bring in external assistance to validate our plans and to help us with some of the work. 

What does this mean to you?  For one, our increased security efforts might impact our response time to your units.  We will certainly keep the lights on, and maintain critical project deadlines, but some tasks may slip.

For two, we are in the process of implementing additional security best practices, some of which individuals may find inconvenient or otherwise undesirable.  These include increased use of “Duo” to augment passwords when accessing sensitive data; required annual password changes; future additional controls to access the wireless network; and the like.  It’s also possible that our scans might find a vulnerability that inadvertently takes something down for a short period of time.

For three, we will be working with your units to ensure that our sensitive data inventory is comprehensive and accurate; and to increase security awareness and best practices.  

The threat is very real, as we have seen from frequent news stories about stolen data: 60 million credit card numbers from Home Depot, personal information on 110 million Target customers, 22 million social security numbers from the US Government Office of Personnel Management.  Recently UCLA Health announced that records for 4.5 million individuals might have been exposed due to a cyber-attack there.  We have had smaller incidents here at UCI as well.  

While maintaining information security involves everyone, IT organizations play an extremely important role in implementing and maintaining technical controls.  These are particularly important in protecting against external cyber attacks, which tends to be the type of breaches that impact the largest populations of individuals (all of the examples above are in this category).

Protecting our systems and data is a daunting task due to the complexity of modern networks and systems, and their pervasive use throughout the enterprise.  It has required steadily more attention from OIT staff over recent years, with a major upswing last year.  We have a team of 7 staff dedicated to information security and are in the process of adding more.  Security practices also require on the order of a quarter or more of the time from each and every member of our organization. 

In the past hackers were more often than not in it for “sport” – they broke into systems for the challenge of doing so. However, hacking has become a thriving, lucrative criminal enterprise; hackers are well equipped, resourced, and motivated.  On the black market, stolen financial records are worth real money, and stolen medical records are worth even more.

We will continue to coordinate our efforts through the  Campus Ethics and Compliance Risk Committee, and its Information Security and Privacy Subcommittee.  We will provide additional communication regarding specifics as we move forward.  

Thank you for your support and assistance; please let me know if you have concerns, observations or questions.

Dana Roode
Associate Vice Chancellor and Chief Information Officer