UC Davis Information & Educational Technology

IT Security

Need to be addressed:
Protect the campus against increasing cyber attacks on our systems and infrastructure.

Description:
It is impossible to imagine not being able to access the information resources and services available to us on the Internet. However, the Internet also provides an environment and opportunity for malicious and potentially devastating cyber attacks. These attacks, which have reached unprecedented levels, include identity theft, fraud, denial of service attempts, misappropriation of computing resources, virus and worm infections, and spam. Our technical staff is spending inordinate amounts of time attempting to prevent and recover from this onslaught. There is no easy solution to prevent these attacks, short of disconnecting from the Internet. The advancement of the UC Davis mission for learning, discovery and engagement is inextricably tied to the availability, integrity and confidentiality of information that traverses the campus data network and the broader Internet community.

Improving computer and network security is a complex and challenging undertaking. The UC Davis IT security architecture is built around four major program components. The architecture recognizes that information security improvements are based on advancing campus progress in each of the following areas:

• Preventive measures to control the number and scope of security incidents
• Security assurance through vulnerability identification and remediation
• Detection and investigation for those security incidents that do occur
• Recovery of any compromised host or network

Over the next two years, the UC Davis information security program must continue to support mandated security requirements, expansion of campus infrastructure security services, and security awareness/education initiatives. In addition, we anticipate the initiation of new information security projects to focus on the following three areas:

Secure Storage – Enactment of recent consumer protection laws requires greater privacy protection for financial information and notification of record holders when there exists a reasonable belief that the record holder’s personal information has been acquired by an unauthorized party. Due to the widespread use of personal information within campus units and the possible loss of personal information from unauthorized data acquisition, enhanced campus measures are needed to provide institutional protection of personal information. In some cases, personal information can be obfuscated or transferred to removable electronic media to reduce the security risks of unauthorized data acquisition. However, where such measures cannot be applied, the personal information must be stored in an electronically secure format and permit access by the authorized staff or faculty member and, under certain conditions, also permit access by campus unit management. A campuswide solution for secure storage will provide information portability and support cost efficiencies. We will soon initiate a campus workgroup to define secure storage requirements. While remaining Internet2 dollars are available to move this project forward, it is not known at this time whether the remaining funds will be sufficient.

Expanded Authentication Services – As recommended in the campus advanced technology project for authentication services, this future project focuses on extending campus authentication to meet broader campus authentication requirements. Specifically, additional authentication development will lead to the support of a single sign-on environment based on authentication levels, integration of the existing campus authentication system with federated authentication systems, Internet2 Web-Initial Sign-On standards and future campus one-card programs for identity authentication, access authorization and electronic wallet functions. Examples of new audiences that will need to be considered as part of this effort include prospective students, parents of students, and UC Davis alumni.

Compliance with HIPAA Security Regulations – The Health Insurance Portability and Accountability Act was passed in 1996. Subsequently, the US Department of Health and Human Services issued supporting privacy and security regulations, respectively in 2000 and 2003. Campus units that provide insurance billing services and administer protected health information must comply with HIPAA security regulations by April 15, 2006. These security regulations affect several campus units, including the Student Health Center, Employee Health Services, School of Medicine, and Crocker Nuclear Lab. The campus must develop a mechanism to ensure compliance with HIPAA security provisions for administrative safeguards, physical safeguards, technical safeguards, policy and procedures, and organizational requirements. It is anticipated that Information and Educational Technology will take a leadership role in the provision of security regulation interpretation, and development and implementation of some HIPAA security compliance measures.

Notes/Status:
Analysis already conducted for campus vulnerability detection services.

IT Strategies:
II.1; II.3 [see the IT Strategic Plan (PDF) for categories]

Sponsor:
Information and Educational Technology