A private university recently experienced a near institutional drowning in the turbulent wake of a server theft.
The scarily unprepared institution realized just how detrimental the burglary could be only after it noted that thousands of students whose records were stored on the server could become victims of identity theft.
Someone acting as if he was an employee simply meandered into the school after hours, waved to the security guard on duty, and bounded up the stairs to the office he had been scoping out for weeks. He then shoved CPUs, laptops and the all-important server into some garbage bags – but not before he sat down for some hours to check out various student and personnel records. This was discovered by the night cleaning crew, who also assumed he was an employee working late.
So who was responsible for cleaning up the mess left by this windfall heist? Seems that the school officials have no idea.
One employee whose computer had been stolen reported the incident to the local and college police, another called the IT department, and one began coordinating the ordering of replacement equipment.
The next week, the IT department head, who is responsible for all things technical and infosecurity-related at the school, met some of the victims and tried to blow the incident off as a simple physical theft. And while he became a little more concerned after some further explanation – learning that students' records for the past five years, along with their social security numbers, were thieved – the IT guy simply stated that none of the clean-up was his job. The discussion got heated until, finally, one of the victims angrily volunteered to research what records were stolen, draft a letter to students and parents warning them of the theft and its possible ramifications, and lead the implementation of new security rules for his department.
Everyone whose private details were housed on the server has since been notified. The replacement equipment is now chained to desks. And the IT department, which has the responsibility for all technical deployments in the school, has been provided with a clearer description of its roles and responsibilities by higher-ups.
Now, those higher-ups need to implement an overall business continuity/disaster recovery plan to address departmental issues and needs, mandate training, and clearly define personnel duties. Perhaps they could even try a risk management plan, like the one Peter Stephenson will be discussing at our SC Forum this October in Napa Valley (see story, p32). Heck, they might also want to hire at least one or two real IT security professionals.
Ah well. They'll likely finally accept such a need after the latest incident which, apparently, occurred about a week ago, when two laptops from the admissions office at the school went missing.
Illena Armstrong is SC Magazine's U.S. editor