Data Security: Protecting Rice's Electronic Resources

Introduction

As most people have noticed, the news is full of organizations announcing the loss and theft of personal data and information: 

• Veterans Affairs Stolen Laptop (http://www1.va.gov/opa/pressrel/pressrelease.cfm?id=1123)
• UT-Austin School of Business Compromise (http://www.utexas.edu/opa/news/2006/04/data23.html)

The loss of data can happen any number of ways, through “hacking” systems that have weak passwords and out-of-date security patches, to people either losing or having laptops that contain sensitive information stolen.  In either case, protecting and securing personal and confidential data is a responsibility all of us at Rice share.

It’s the Law

Like other states, in 2005, the State of Texas passed the “Texas Identity Theft Enforcement & Protection Act.”

The law describes what constitutes data theft, responsibilities for those that exposed the data and actions that victims can take to remedy the situation.

Rice University is responsible for securing resources that contain identifying information, such as social security numbers, addresses and phone numbers.  If the Information Security Office determines that the information was made available, either through stolen hardware or a compromise, Rice also has the responsibility to notify those whose data was exposed.

There are also several federal laws that require organizations to protect data, like:

• http://www.ed.gov/policy/gen/guid/fpco/ (for student records)
• http://www.hhs.gov/ocr/hipaa/ (HIPAA -for health records).

Steps Information Technology is Taking

The Information Technology division has already taken some steps to address the issue, and is working still on more solutions.

• Things that are already in place
• Encrypting Network Traffic
• Enhanced Spam and Phishing Filters
• New AntiVirus Software (http://www.rice.edu/it/security/download.html)
• Cisco Clean Access (http://www.rice.edu/it/security/clean.html)
• Things that are coming soon
• Internet Firewalls

Steps Everyone Can Take

The protection of Rice University’s data, electronic or otherwise, is all of our responsibility.  We should feel some attachment to it – some of our personal information is there.

With that in mind, here are some steps that everyone can take to ensure our confidential information stays confidential:

• Use good password-“sense”
• Force the use of passwords on computers used to access Rice resources, both in the office and at home
• Choose a good, hard to guess password
• Don’t share your password
• (http://www.rice.edu/it/security/passwords.html)
• Ensure that your computer is safe – includes computers that connect to Rice from office and at home
• Apply security patches as they become available automatically.
• Run antivirus and update it daily. (http://www.rice.edu/it/security/download.html)
• Use a personal firewall.
• Leave data on the server
• As much as possible, do not copy sensitive information to your desktop, laptop or portable device.
• Work from the server copy of documents containing sensitive data.
• Remove all data from all devices (computers, pdas, cell phones, etc) BEFORE they are transferred to another user or department, sold, or otherwise disposed of.
• Many of the cases of data theft occurs from systems that are sold or transferred before they are cleaned of private and confidential data. (http://www.rice.edu/it/security/disposal.html)
• Use secure connections to access resources
• Rice University uses secure connections for many of the most commonly used network applications (Email, web, calendar, etc).
• Rice also provides VPN access to securely connect to the Rice network while at home or away. (http://www.rice.edu/it/network/vpn.html)
• Report incidents, from stolen devices (laptops, pdas, etc) to suspected network break-ins immediately
• The quicker we know about an incident the quicker we can respond, potentially limiting any damage.

More Information

Here are some more sites that discuss identity theft, both on and off campus:

Government Sites

• Federal Trade Commission
   http://www.consumer.gov/idtheft/
• Department of Justice
  http://www.usdoj.gov/criminal/fraud/idtheft.html

Rice Sites

• Identity Theft Protection
  • How to protect yourself
    
• What is Phishing?
  • A simple explanation of Phishing

Also, you can contact the Information Security Office at security@rice.edu.

Marc Scarborough
Information Security Officer
marcs@rice.edu

---

Rice University Information Security Office
http://www.rice.edu/it/security/index.html