Published: Aug. 18, 2005

Campus administrators at the University of Colorado at Boulder have begun implementing plans to improve security for the 6,000 servers and 20,000 computers in use on campus, particularly for those that contain sensitive data that is more likely to be targeted in cases of identity theft.

Although the full plan will require further review and funding approval to implement, parts of the plan already are under way, according to Bobby Schnabel, vice provost for academic and campus technology.

"Implementation of some parts of the plan can be done quickly and for those activities we are forging ahead," Schnabel said. "But the entire plan is more extensive and will require input from the chancellor and other parties, in addition to funding for equipment and staffing.

"We also have been reviewing the plan as more information becomes available from the forensic work that has been done to date on recent computer incidents involving Wardenburg Health Center and the Buff OneCard," he said.

"The university is very concerned about computer security and we're working hard to ensure our policies and security measures promote a high degree of confidentiality," according to Schnabel. "This includes a detailed risk assessment of key departments by an outside security firm, measures to limit external access to our servers and encryption of sensitive data wherever possible."

Among the activities already being implemented is an inventory of campus servers that contain sensitive information to determine whether any other servers have been compromised. CU-Boulder announced today that a new breach of a secondary server in the Registrar's Office was identified as a result of the server inventory now under way.

In addition, 10 to 20 key departments that handle sensitive information are scheduled to undergo a risk assessment by a private computer security firm, which the university is in the process of hiring.

CU-Boulder has notified all persons whose personal information may have been accessed in four server security breaches during the last month of computers containing sensitive information such as names and Social Security numbers. No evidence has surfaced to indicate that any of the information has been used.

Other steps that will be taken to improve computer security include:

o Removing computers that do not require inbound Internet accessibility from inbound access. Once identified, these computers would have outbound Internet access but not inbound, so that hackers would not be able to access the computers remotely.

o Adding secure access standards that were applied to Information Technology Services-controlled machines in January 2003 to all campus computers.

o Reviewing enforcement of the existing Minimum Computer Security Standards to make sure security standards are being administered and monitored properly. The campus IT Council and the Chancellor's Executive Committee will conduct the review.

o Examination of whether sensitive data on servers is encrypted and whether the server can function as needed if its data is encrypted. In some cases encryption prevents the data processing that the server is intended to perform, Schnabel said.

o Review of whether increased centralization of some campus computer functions is feasible. The current system, which is partially centralized and partially decentralized, developed over time as departments created their own internal computing systems to support individual academic and business processes.

"As at most universities, the campus computing environment is fairly distributed, meaning that in addition to the computers managed by the campus computing organization, or ITS, many are managed by individual departments," Schnabel said. "In some cases, what we're seeing now is that the benefits of local control are being overshadowed by security concerns because many of the departments are not able to devote sufficient resources to security issues," he said.