Ohio University continues to take actions to improve computer network system security
ATHENS, Ohio (May 25, 2006) -- In response to recently discovered data theft incidents regarding computer network servers, Ohio University continues to take steps to remedy the situation and to protect its computer system against further breaches.
?Ohio University regrets these breaches of its computer systems and the inconvenience and problems they have caused individuals. We continue to work diligently to ensure that the university computer system is as secure as possible with the goal that these types of breaches do not occur in the future,? Associate Provost for Information Technology and Chief Information Officer Bill Sams said. ?This is a comprehensive approach that involves a review of all facets of the university?s computer systems operations. It has already led us to take several measures to build a more secure structure and guard against similar problems in the future.
?This is a long-term, ongoing investigation and it is possible we may identify other breaches that have previously occurred,? Sams said. ?These recent incidents of data theft underscore the importance of data security and have led us to accelerate efforts that were already in place in this area.?
Given the potential criminal implications, the FBI has been notified of all breaches by intruders. An FBI agent has been assigned to investigate the Ohio University server compromises.
Approximately 90 servers that are part of the university?s central computer systems have been examined and nearly 1,000 other servers on campus will also be examined and steps taken to make them more secure.
Following is an overview of actions that have been taken or soon will be undertaken in response to the recently discovered data theft incidents regarding Ohio University computer network servers:
Improving Security of Critical Systems
The university?s Security Incident Response Team has expended approximately 5,000-man hours since the discovery of the recent security incidents to increase the security of the university?s central computer systems. Steps taken include:
At this point, the response team has applied initial security hardening techniques to the physical space, network operating systems and databases for all central servers. However, additional work will be performed in the upcoming weeks and months so that Ohio University achieves best practices by industry standards in these areas.
- Complete survey of systems housed in the central machine room
- Implement multiple firewalls
- Rebuild operating systems
- Take non-essential servers offline
Response teams from three independent security-consulting groups are on site to assist staff with ongoing security enhancements. The university has hired an independent consultant to conduct an incident assessment that is expected to be complete in three weeks.
?We appreciate the support and understanding of all the organizations on campus who have experienced shutdowns and delays to their IT support systems as we install and test new security measures,? Sams said.
- Team resources currently are focused on systems in the university?s central machine room. These 90 machines represent less than 10 percent of the total servers on the university network.
- An FBI agent has been assigned to investigate the Ohio University server compromises.
As the initial response phase winds down, IT personnel will focus on comprehensive, long- term security improvements. This work will include:
In the coming weeks, a comprehensive review of the entire network will be conducted. The university will solicit proposals for follow-up consulting to provide a full risk and vulnerability assessment along with an IT organizational review.
- Continue to harden existing systems.
- Complete inventory of server-based applications and their associated data.
- Conduct a review of institution-wide policies and procedures related to data security.
- Provide education and outreach programs to all faculty and staff about best practices for handling sensitive data and general safe computing.
Restructuring of Central Information Technology
An initial restructuring of the university?s central Information Technology departments was announced on Friday, May 19. This restructuring resulted in the dissolution of the Office of Computer Services, with employees of that department being reassigned to the following operations:
SIS Project Remains on Track
- Twenty-four employees were combined with the existing Enterprise Group to form a new Applications Services group headed by Shelley Ruff.
- Seventeen employees were moved to the existing department of Communication Network Services under Tom Reid. To reflect the added scope of that department?s responsibilities, its name has been changed to Computer and Network Services.
- Fourteen employees were combined with the existing Center for Innovation and Technology for Learning (CITL) to form a new Academic Technology group under Marjorie DeWert.
- IT Security Compliance personnel now report directly to CIO Bill Sams.
In addition to the current security-related work, the university?s plan to upgrade its Student Information System remains on track, with a Request for Proposal going out to software vendors.
Background of Situation
On April 21, it became known that a server used to store patent and intellectual property files had been compromised. On April 24, a security violation of a computer system with personal information on more than 300,000 alumni, faculty and staff members and donors and friends of the university was discovered. On May 4, the university discovered that someone gained access to more than 60,000 current and former students personal medical records via a server for the university health center.
The university has taken steps to alert those whose records are affected by the data theft incidents. Further, the university has established a Web site at www.ohio.edu/datasecurity and hotline, 800-901-2303 or (local calls) 740-566-7448 to answer further questions.
[ 30 ]
Media Contact: Director of Media Relations Jack Jeffery, (740) 597-1793 or firstname.lastname@example.org, or Media Relations Coordinator Jessica Stark, (740) 597-2938 or email@example.com