|
A Quick Lesson in Computer Security
One of the most basic principals in computer data security the that of “risk mitigation.” Essentially, it is doing everything possible to minimize sensitive data being compromised and to reduce any harm if it is.
One of the most basic methods of accomplishing this is by deleting old data. I haven't taken classes at the University for two years. Why does the Department of Art have my old records? What value do they add to the school? (I graduated from the School of Journalism.)
Now, I see the value in keeping my official transcripts; I want the University to maintain those records. However, individual schools should only keep the minimum information needed to function. This way, significantly fewer students are at risk.
“If you don't need it, delete it.” (B R Stuckey, 2006)
Second, the University needs to mandate industry accepted encryption across all administrative computers. If there are records on the computers, the volumes that store the data should be encrypted. This way, the incident would have been a "hardware theft," not a "sensetive data theft."
There is a serious lack of understanding about how to manage sensitive digital information at the University of Minnesota. The school needs to establish and enforce strict standards for handling sensitive student data. Each college needs to have someone with a technical background to oversee the handling of private student data.
Students trust the University of Minnesota to keep their GPA, SSN and other records private. The University owes it to students, current and former, to diligently defend this data.
Besides, there has to be a FERPA/HIPAA violation in here somewhere….
|
