News

• Current News
• Campus IT Memos
• IT News Archive
• HSC-ITS IT Update
• IT Calendar
• Cool Stuff
• Leadership Home
• OIT Home

Individual Responsibility for Information Security

MEMORANDUM

To:  Faculty and Staff

From:  David W. Pershing, Senior Vice President for Academic Affairs
     A. Lorris Betz, Senior Vice President for Health Sciences and Dean, School of Medicine
     Stephen H. Hess, Associate Academic Vice President for Information Technology
     Pierre S. Pincetl, Associate Vice President, Chief Information Officer, Health Sciences

Date:    September 9, 2005

Subject: Individual Responsibility for Information Security

Do you have private sensitive information, such as Social Security Numbers, financial information including credit card numbers and bank information, or protected health information, including health records and medical information stored on your personal computer?  Could this type of information be found on spread sheets, word documents, and copies of reports, data bases or forms on your computer?  If you answered yes, or if you are unsure, this memo is intended to clarify your individual responsibility regarding information security at the University of Utah.

This past summer, a campus department computer was compromised, potentially exposing the names and Social Security Numbers of approximately one hundred thousand former and some current University employees.  Such events expose the University's friends and associates to an increased risk of identity theft and they anger and frustrate those individuals as they take precautions to protect themselves from potential fraud.  These events negatively impact the University's reputation, cost tens of thousands of dollars, consume hundreds of man hours, and waste other valuable University resources.

Our Information Technology Resource Security Policy (PPM 1-18) states that "users of IT Resources must not knowingly retain on personal computers, servers, or other computing devices, Private Sensitive Information" unless specifically approved by the Dean, Department Chair, or Vice President, only when absolutely necessary to perform one's official duties, and if appropriate security measures are taken.

It is the responsibility of IT professionals within your organization to implement and administer security procedures under the direction of the cognizant authority.  However, it is each individual's responsibility to (a) know whether or not private sensitive information is stored on their PC or other computers for which they have responsibility, (b) inform the cognizant authority that such information resides on these computers, (c) seek the appropriate permissions to retain such information on these computers, and (d) take precautions to secure such information according to "best practices and procedures" as defined by the campus Information Security Office.

You should not assume that your computers do not store private sensitive information.  Instead, you should actively verify whether or not such information exists on your machines.  In the course of routine or requested audits, Campus IT security staff members continue to find sensitive information in spreadsheets, word documents, data bases, etc., stored on PCs and servers, even when the user believes that such information does not exist on their machine(s).  Please follow these guidelines:

1. Know where private sensitive information is stored on individual, department and college servers and computers.

2. Make sure that you have the appropriate approvals to store such information.

3. Ask the Information Security Office to perform a security audit on servers and computers that store private sensitive information.

4. Do NOT use Social Security Numbers as a personal identifier unless it is required and approved by the cognizant vice president.  University department and personal computers that store Social Security Numbers must be audited by the University Information Security Office.

5. Data Custodians or LAN Managers should enable logs on all computers and servers that store private sensitive information so that inappropriate access to such information can be monitored.

6. Where possible, don't grant administrative rights to personal computers.  Allow only qualified IT professionals to add software to personal computers.  IT professionals are generally aware of software that can be exploited by hackers.

These instructions apply to paper files and electronic files that reside on University or personally owned computers, if used to work at home or other off-campus locations.

If you have questions regarding this memo, please contact the campus Information Security Office (ISO) at or 585-1012.  ISO may be scheduled to perform an information security audit and can advise you regarding "best practices" for information security.  If you work in the Health Sciences Center, please contact the Privacy and Information Security Office at or 587-9241, for recommendations based on HIPAA Privacy and Security requirements.


------------------------------------------------------------
Distribution of this message was approved by Stephen Hess, Associate
Academic Vice President for Information Technology, University of Utah
Phone (801) 581-3100, 101 Wasatch Drive, Eccles Broadcast Center,
Salt Lake City, UT 84112