News

• Current News
• Campus IT Memos
• IT News Archive
• HSC-ITS IT Update
• IT Calendar
• Cool Stuff
• Leadership Home
• OIT Home

Information Security Memo - June 2005

To: Faculty and Staff
From: David W. Pershing, Senior Vice President for Academic Affairs
A. Lorris Betz, Senior Vice President for Health Sciences and Dean, School of Medicine
Stephen H. Hess, Associate Academic Vice President for Information Technology
Pierre Pincetl, Assistant Vice President/Chief Information Officer, Health Sciences Center
Subject: Information Security

 

The purpose of this memo is to re-emphasize the importance of managing and securing sensitive personal information stored electronically, or in paper form, on college, department and personal computers, desks and file cabinets.

Our Information Technology Resource Security Policy (PPM 1-18) states that "Users of IT Resources must not knowingly retain on personal computers, servers, or other computing devices, Private Sensitive Information, such as Social Security Numbers, financial information including credit card numbers and bank information, or protected health information, including health records and medical information" unless specifically approved by the Dean, Department Chair, or Vice President, and only when absolutely necessary to perform one's official duties.

The University administration has taken steps to protect personal information residing in central systems and to restrict access only to those individuals who require such information to perform their duties. Most campus IT professionals take the same precautions. However, our campus is not immune from attack, especially those that may result from hacks into insecure computers and personal missteps.

In the last several months, news agencies have reported the loss or exposure of personal information affecting almost 2.7 million students, faculty, staff, alumni and individuals affiliated with other U.S. colleges
and universities. Many of these security breaches were the result of the loss or theft of laptop computers, lost hard drives, inappropriate web posting, hacks into department computers, loss of alumni lists, and the
disappearance of paper records from individual desks and bookshelves.

Because of the vigilance of campus IT Professionals, and your attention to this important topic, the University of Utah will not receive this kind of news coverage.

To protect the University and all of our students, employees, alumni, and affiliates, we recommend that you ask yourselves these questions:

- Do I store anyone's personal information, including my own, on my personal computer, PDA, or in paper form?

- Does our department use Social Security Numbers on forms or applications when unique identifiers such as EmplID or UNID are sufficient?

- Do administrative support people store credit card information on computers in order to make hotel and other travel arrangements for our faculty and staff?

- Do we store conference registration, or other e-commerce transaction information, that may include social security numbers or credit card numbers?

- Do we store prospective student or alumni information that may contain social security numbers?

- Do we store vendor, contractor, consultant information that may contain social security numbers or financial information?

- Do we generate and store PeopleSoft reports that contain sensitive personal information?

- Am I unsure about whether or not my own, or my personal assistant's password is secure?

- Is it possible that my own desktop or laptop computer could be electronically or physically accessed or stolen by undesirable individuals?

If you answered "yes" to any of these questions, please contact the campus Information Security Office (ISO) at security@utah.edu or 585-1012. ISO may be scheduled to perform an information security audit and can advise you regarding "best practices" for information security. If you work in the Health Sciences Center, please contact the Privacy and Information Security Office at security@hsc.utah.edu or 587-9241, for recommendations based on HIPAA Privacy and Security requirements.

Remember the sensitive information that you protect may be your own!

------------------------------------------------------------
Distribution of this message was approved by Stephen Hess, Associate
Academic Vice President for Information Technology, University of Utah
Phone (801) 581-3100, 101 Wasatch Drive, Eccles Broadcast Center,
Salt Lake City, UT 84112