Protecting Research Data From Data Breaches
Larry Conrad
Most IT departments at colleges and universities tend to focus their security efforts around protecting administrative data – items such as student records and financial information. While that approach makes sense, a breach experienced by one of our research groups two years ago at the University of North Carolina, where the Social Security numbers of 115,000 research subjects were compromised, is leading us to completely rethink the way that we protect research data.
Most IT departments at colleges and universities tend to focus their security efforts around protecting administrative data – items such as student records and financial information. While that approach makes sense, a breach experienced by one of our research groups two years ago at the University of North Carolina, where the Social Security numbers of 115,000 research subjects were compromised, is leading us to completely rethink the way that we protect research data.
Embarrassing though the incident was, there has been no indication of negative consequences for the affected parties, and it did lead to a much more open conversation about IT security in our research organizations. Through discussions with the Faculty Council, we have tried to motivate many of our faculty to think more about building security into their planning and budgeting processes.
We started by explaining the scope of the problem. Our intrusion protection system at UNC Chapel Hill intercepts roughly 30,000 attempted hacking incidents every day. People need to understand that today's hackers are smart, global and automated, function 24x7 and, quite often, are professionals working for profit.
In addition to explaining the scope of the problem, we have worked with the campus community to establish a set of information security policies. We set policies on everything from general user passwords and security standards to transmission of sensitive information, incident management, data governance and e-mail.
As part of this process, we have asked for all units (including researchers) to identify where sensitive data resides in their organization. For example, if a group has a server that stores Social Security numbers, we ask them to remove the SSNs. If for some reason they need to store sensitive information, then we tell them to encrypt it.
To help in this effort, we have asked units to identify all the systems administrators throughout the organization and enlist them to identify which servers have data that needs to be removed or protected (for example, by encryption). We are also poised to begin a formal "scanning" process to help identify systems that are not adequately protected. We are pursuing a three-strikes-and-you're-out strategy, setting a policy that after a third security failure, the system administrator function for that server must be outsourced to a third party.
Get Everyone Involved
As part of our overall strategy, we have expanded the scope of our IT data governance operation to include research data. We also made sure that the university's research administration and legal/compliance offices were involved. In addition, the provost established a new Stewardship of Digital Research Data Task Force. This group is responsible for making recommendations on research data management issues, including security. For instance, it will determine what data to preserve, how long to preserve it, how to structure the governance process and how to fund these activities. The task force is set to issue a report on its findings sometime in early 2012.
Of course, supporting expanded IT security can be expensive. For example, 10 Gigabit Ethernet intrusion detection/prevention systems or firewalls cost hundreds of thousands of dollars. However, even in times of austerity, colleges can create security awareness programs, establish a policy base for information security and put a governance structure in place.
It's also possible to structure purchases over three to five years so that the administration doesn't balk at the price tag. Another option is to restructure your IT staff. For example, even though I have had to lay off 40 people because of budget cuts, I've been able to expand the security staff by reallocating funds.
However you proceed, your main goal should be that everyone on campus understands that they have a role in and are responsible for protecting the university's networks and its sensitive data.