TAMUCC I.T. Security

Recent Data Breaches at Other Education Institutions

In the light of the most recent educational institution data breaches at the University of California-Los Angeles and the University of Texas-Dallas, I wanted to address the actions that the Texas A&M University-Corpus Christi (TAMUCC) is taking to protect the sensitive information of its students, faculty, and staff. The intent of this letter is to assure everyone that this university understands the importance of protecting all of the sensitive information it is required to collect and maintain. We are also aware of the many challenges that a university environment presents to this effort and we are taking the appropriate steps.

The State of Texas separates sensitive information into several categories in Texas Administrative Code Chapter 202:

Confidential Information - Information that is excepted from disclosure requirements under the provisions of applicable state or federal law, e.g. the Texas Public Information Act.
Mission Critical Information - Information that is confidential or is defined by the institution of higher education, or state agency to be essential to the institution of higher education, or state agency function(s).
Restricted Personal Information - Includes an individual's social security number, or data protected under state or federal law (e.g., financial, medical or student data).

All universities are required to obtain and maintain confidential and restricted personal information to comply with federal and state requirements and to perform essential functions consistent with their mission.
The challenge for TAMUCC is balancing the flow of information, education of students, and the research of the instructors with the security of business and educational resources. The university has accepted this challenge and we are meeting the explosion of technological capabilities available to students, staff, and faculty with a comprehensive list of university procedures developed by leaders in the university faculty, staff, and information technology department. These university procedures are stepping stones necessary for the university to protect its sensitive information and critical assets while providing and maintaining the capabilities necessary to educated and research.

There are several additional protections that TAMUCC is utilizing to ensure the protection of its sensitive information and critical assets.

Personnel and financial records are processed and stored on a well protected system with limited physical and electronic access.
The campus network is protected by a defensive in depth strategy of firewalls and other security appliances and applications.
The campus network is maintained at a level that security concerns are identified and addressed in the most expedient manner available.
All faculty, staff, and students workers are required to take an annual information technology security awareness training course.
Every department and college at this university is required to perform an annual risk assessment to help identify systems that contain critical information, critical assets, and their current state of operations.
A security manager has been hired to assist university personnel with university wide information security, risk assessment, and risk mitigation.

Although the university is doing what it can to protect the sensitive information and critical assets on this campus there are plenty of steps that everybody else can take to improve the situation.

If you are a member of the university faculty and staff, become familiar with the procedures of your department and identify where sensitive information is store and when it is required for business purposes. If a job can be completed without the acquisition and storage of this information then suggest a change to your procedures. Also, if sensitive information is written down on any forms then ensure that those forms are protected under lock and key or destroyed in a paper shredder, preferably on that performs cross-cut shredding.
If you are a custodian of an information resource consider the function of your asset and determine if it is a candidate for resource consolidation. TAMUCC Media and Computer Services provides secure web and database resources maintained by extremely knowledgeable and helpful administrators. Resource consolidation will save your department time and money while increasing the security of these information resources.
Finally, the best protection is individual vigilance. Be sure to properly manage your workstation by ensuring your operating system, virus protections, and applications are updated and patched on a scheduled basis. Refrain from keeping confidential and restricted personal information on your workstations.

Despite all of the protections provided and the efforts of all the individuals working or attending this university, there will always be the potential that sensitive information will be compromised. This has become an unfortunate fact of the current state of technology for our generation. There are, however, several ways that each of us can be proactive in our personal protection measures. Annual credit reports from the three major credit reporting companies can be obtained through the Annual Credit Reports website. It is recommended that persons requesting credit reports through this system do so on a staggered basis (i.e. one report every four months) instead of requesting all three reports at the same time. Information about how to protect yourself and your family as well as how to handle the unfortunate occurrence of identity theft is provided by the federal government on the Federal Trade Commissions ID Theft website. The State of Texas provides a similar resource through the State of Texas Department of Public Safety.

Everybody can help by being concerned about the methods used to maintain sensitive information at TAMUCC. If you have a concern, please bring it up to your instructor, immediate supervisor, the faculty/staff or student helpdesk, by filling out the online TAMUCC Computer Security Incident Report Form. As always, if you have any concerns or questions, about this or any other security related issue, please feel free to contact me personally via email at or via phone at 825-2124.

References: