Dear LAS Faculty and Staff:
Recently, Iowa State University discovered a serious server breach affecting five departmental servers on campus. Most of the potentially compromised student data were stored on servers in Computer Science and World Languages and Cultures. One of the file servers contained archival student data dating back to 1995, including social security numbers and other personally identifiable information. We have no evidence that the data was accessed, but we also cannot be sure that it remained safe.
Security breaches of this nature pose a severe risk to Iowa State University, in terms of reputation and financial liability. Data security must take priority over personal convenience.
Iowa State University is developing a suite of data classification and information security policies which are currently posted in draft form at the Policy Library website. President Leath and Provost Wickert have announced a six point plan to ensure proper protection and management of digital information which I have shared with all LAS department chairs. We will make it a college priority to implement and monitor these policies and practices. Effective immediately, I am instituting the following steps, to prevent further incidents and to ensure that LAS is the campus leader in data management and information security:
LAS IT personnel will be involved in the purchase of all network attached electronic devices (servers, desktop computers, laptops, tablets, etc) if these purchases involve ISU funds. ISU funds include grants, PI incentive accounts, and professional development funds.
LAS IT personnel will implement an ongoing security audit of all computers (including servers, laptops, tablets, etc) purchased with ISU funds. The audits will be performed using identity detection software (e.g., Identity Finder) software which scans for sensitive data including:
social security numbers,
credit card information, user/password data, and other personal information (e.g., university IDs, dates of birth, etc).
LAS IT personnel will work with departmental and research group system administrators to analyze, purge, or securely archive such data, in compliance with ISU data management policies.
The IT technician in your department or the LAS IT technician assigned to your area and their backup technician should have administrative access to all computers (including servers, laptops, tablets, etc) purchased with ISU funds. This is the most effective way of ensuring appropriate data management. Department chairs can request exceptions by contacting Associate Dean Arne Hallam; exceptions will only be granted if security audits will be performed on a regular basis in close coordination with ITS and LAS IT personnel. It is essential that you consult with ITS and LAS IT personnel with regards to any systems which store, process, or grant access to protected information. All ISU accounts must have passwords that meet university security standards. Authenticated access and secure transmission of data will be required to access almost all campus services from off-campus computers. Regular audits will be performed. All employees should be familiar with and follow existing ISU policies on information technology security and electronic privacy (see, e.g., IT Security Policy, Electronic Privacy, and Social Security Number Policy).
Finally, let me stress that IT personnel are required to report all IT security incidents immediately to ITS. In addition, IT personnel and department chairs should inform the LAS IT Security Team. Severe intrusions, involving student or employee data, must be reported to the LAS IT Security Admin list.
We are committed to keeping our student, faculty, and staff information – including yours! – protected against any unauthorized intrusions.
Please work with your IT personnel as they implement these changes.
With best wishes, Beate Schmittmann, Dean