IT Security Plan in effect at CSUN

Deborah Rivera

An Information Security Plan has been adopted by CSUN to protect confidential information, in electronic or paper form, pertaining to students and employees at the university.

The plan was adopted in early 2004, and in December of that year, Al Arboleda was hired as the university’s information security officer at Information Technology Resources, which placed him in charge of the plan.

According to Arboleda, every campus needs to have an information security officer as part of a mandate from the CSU Chancellor’s Office.

One reason for the plan is that in the last few years there have been several cases of identity theft and personal information exposures throughout the country, Arboleda said.

He said these cases have been the driving force for the CSU to ask individual universities to adopt a comprehensive security plan to protect themselves.

Earlier this month, Citigroup Inc. announced that confidential information such as Social Security numbers and account and payment information stored on computer tapes had been lost when the information was shipped to a credit bureau in Texas.

Citigroup is not the only major company to confront private information breaches.

In March, LexisNexis reported that hackers confiscated a database that stored names, addresses and Social Security and driver’s license numbers. The hackers gained access to about 32,000 personal files.

The plan calls for close oversight of university consultants, vendors and contracted service providers. Contracts with the university will specify what the contractor will have access to and will state that the information is only to be used for explicit business purposes.

According to the IT security plan, there will be an “Incident Response Team” that will be responsible for identifying problems and coming up with resolutions.

Other measures of security include having computer network passwords changed every 90 days. Desktops, after being idle for 20 minutes, will go to a password-protected screen saver.

Not only does the university need to comply with and operate an active security plan, but it must also comply with other regulations.

“The university has a responsibility to be compliant with federal and state laws,” said Spero Bowman, Chief Information Officer for ITR.

Such federal and state laws include the Gramm-Leach-Bliley Act, which requires that the university design and implement specific policies to protect private information.

Arboleda is in the process of formulating a schedule of training classes to be made available to staff, faculty and students to make them aware of security issues. Arboleda said some possible classes include how individuals can protect confidential information, prevent identity theft and set up firewalls.

These classes will become part of the security awareness program that is scheduled to start in Fall 2005. Arboleda is considering making October “Security Awareness Month,” but an official decision has not yet been made.

Prior to that, two pilot classes will be offered on Tuesdays and Thursdays, beginning this summer. The classes will be open to staff and faculty and are being held to formulate ideas about what is needed by the university in terms of further security measures, Arboleda said.