sections |
Most members of our campus community have probably read or heard about several high-profile breaches of information security recently at private corporations, government agencies, and other institutions of higher learning. Information Security Comment from
efuller on
09/07/06
ITS is keenly aware of the apparent dichotomy between security and convenience and the difficulty of striking an appropriate balance especially in an environment that values academic and intellectual freedom and the free flow of information. Nevertheless, there are compelling reasons for enhancing security practices, among them being an increasingly hostile Internet, regulatory compliance, and increased awareness and scrutiny of information security practices by external auditors and the Board of Trustees. ITS will make every effort to ensure that the security practices we put in place will not be onerous and that we will not unnecessarily sacrifice ease of use for the sake of security.
------------ Ed Fuller Associate Vice President for Information Technology Services |
© Copyright Ithaca College. All rights reserved; unauthorized use prohibited. All material on this server is produced by our community but, except for designated pages, is neither approved nor verified by Ithaca College.
I'd also note that it is rare for information to be hacked in transmission -- it happens, but most of those news stories we all have been hearing are about how information was stolen out of the server on which it was stored, not while it was being transmitted. So, it makes no difference if you send your credit card info or your social security number online via a secure connection, or if you give it over the phone, or you visit the store in person and use your card -- the thing to worry about is how well is that other party protecting your sensitive information once they have it on their servers and in their system. THAT is the point of weakness which needs the most protecting. Online businesses have the whole transmission thing down tight -- but are they storing your info securely once they have it?
Also a note from a recent experience: my bank recently instituted "Two-Factor" sign-ons for accessing bank accounts online. That means that in addition to a user id and a password (of at least 8 characters, with at least one letter and one number and which is changed every 3 months), now there is also a matrix -- a grid of numbers with axes of letters and numbers. Below the id/password login, a random selection of three of these (such as A5, G3 and F2, for example) must also be entered.
While this new practice does make the system harder to hack into, it ignores the fact that security is not only a matter of technology, but also of human interactions and behavior. With this matrix, there is no way the users are ever going to memorize that grid, so we are forced to print out a copy (maybe more than one, in case one gets lost) and carry it around with us. Having something printed out and carried around significantly DECREASES security -- but there's no other practical way. All the bank has done is to shift responsibility off themselves onto the customers, who are hardly prepared or placed to manage security of this sort for themselves. Despite increased security on the technology end, my bank account is now LESS secure, thanks to these new measures.
More system breaches occur because of physical access -- such as looking over a secretary's shoulder and seeing the password s/he has taped to his/her monitor so s/he won't forget it -- than from random hackers hacking in remotely. A password so tough and/or changed so often it has to be written down is actually LESS secure -- because of the natural human factor.
As security plans go forward, I hope our ITS will keep the human factor well in mind.
Respectfully,
Karin Wikoff, Electronic Resources Librarian (with some grad school training in network security, and a tiny bit of experience, but not the expertise or experience of our ITS staff)