Security council watching out for student privacy
A UA information privacy council created after last spring's CatCard debacle is doing a bit more than watching out for wayward Social Security numbers.
An e-mail bomb that blasted through and stalled a central UA computer system in November prompted the Information and Security Advisory Council to start a university-wide test of the school's strengths and weaknesses in computer security.
The council reasoned if hackers can clog a system, then they can get private data from it as well.
"In the old days before computer data storage, you could not get personal information and privacy was not an issue," said John Wilson, a council member and director of decision and planning support.
"We have to set rules in order to protect information," Wilson added, a sentiment echoed by Peter Perona, planning and projects director at the Center for Computing and Information Technology.
"The council looks at both these issues because what good is privacy without security," Perona said, adding a report is expected on UA President Peter Likins' desk by spring.
"We are still in the process of identifying our principles and assessing areas of improvement and then we will move into the recommendation mode," Perona said.
Likins formed the council in July - four months after the UA illegally released student and employee information to Saguaro Credit Union and MCI Telecommunications Corp. The data was returned, but the council was created in response.
"The good side of the CatCard dilemma is that it brought to Likins attention the need for a security council to make sure private information stays private," Perona said, adding he be-lieved there has been no leakage since the March SSN release.
Perona said the council is using some principles outlined in an April report by the Association for Managing and Using Information Resources in Higher Education, a Colorado-based group devoted to university-level computer issues.
The report identifies principles of fair information release policies, and some central tenets include:
Notification - where student permission must be gained before information is disclosed
Minimization - or only utilizing as much information as needed
Secondary use - or obtaining student permission to use personal information for purposes not originally intended
"Some people do not want one fragment of information released but not everyone on campus feels the same way," said Sharon Kha, associate vice president for communications.
Certain information needs to be released such as the grades of scholarship students to assess the performance but only a few officials need the information.
"Not everyone needs access," Kha said.
Information Security Council Officer Mely Tynan was out of town and unavailable for comment.
Genevieve D. Cruise can be reached via e-mail at Genevieve.D.Cruise@wildcat.arizona.edu.
|