Last month, someone walked into a UC Berkeley office and swiped a computer laptop containing personal information on nearly 100,000 people.

It is just that scenario that worries UC Davis computer specialists like Robert Ono and is one reason why the campus is upgrading its computer security standards in the year ahead. While new efforts are underway, it is not as easy as you might think in a world of byte-sized complexity.

"No single security solution will provide complete protection to computers attached to the campus network," says Ono, the information technology security coordinator at UC Davis. "The campus promotes the use of multiple security approaches" in establishing new security standards and security mandates.

One thing is certain — talking with IT colleagues helps a great deal. To that end, UC Davis will host the 2005 IT Security Symposium on June 22-24. Co-sponsored by the UC Office of the President, the symposium will provide 30 hands-on training labs and 15 lectures to enhance the security skills and knowledge of campus technical staff. The symposium will start with a keynote address by Scott Charney, chief security strategist for Microsoft.

The symposium comes at a time when UC Davis is strengthening its own computer security. In fact, it was designed with the security needs of UC Davis technical professionals in mind, Ono says.

"The goal is to provide system administrators and other technical professionals with practical information for enhancing computer and network security levels within a university environment."

Ono says he and colleagues have identified 14 security practices that will improve the integrity, availability and confidentiality of electronic information as well as the security of the campus computing network. The standards were based on input from the campus community.

New reporting standards

With this feedback, the campus has established a new policy requiring each campus unit to annually report to their respective dean, vice chancellor or vice provost the extent to which their organization is meeting these security practices.

Some of the higher priority recommendations include installing critical security updates promptly, running anti-virus software continuously, disabling insecure network services, authenticating computer users, removing personal information from all computers when possible, reducing unauthorized access to computer systems, and devising firewalls to deny traffic unless it is expressly permitted.

Ono notes, "Where compliance cannot be acknowledged, campus units are being asked to describe either a compliance or risk mitigation plan." Ultimately, each dean, vice chancellor and vice provost will integrate their individual campus unit reports into an overall summary report to the Chancellor and Provost, he says.

Ono suggests that units identify gaps between current practices and the recommended practices. "The resulting information will help campus units to develop a correction plan prior to the first annual reporting date."

Deans, vice chancellors and vice provosts must submit their reports by July 1, 2006.

Fast-moving threats

At UC Davis, he says, most of the current Internet-based security threats target security vulnerabilities within individual network-connected devices. "Malicious programs, often within Internet worms, e-mail attachments or Web sites, take advantage of these vulnerabilities to take direct control of a computer."

Hackers can inspect data files residing on the compromised computer, use the now-compromised computer to attack other computers or use the computer for unauthorized, and sometimes illegal, purposes. The problem, Ono adds, is that the security threats are able to spread particularly quickly now with the availability of high-speed data networks and the increased use of mobile computing devices.

Data storage heightens risks

The risks of identity theft have risen in recent years as technological advances make it easier for businesses, schools and other organizations to create vast databases containing Social Security numbers, credit card account numbers and other personal information.

All that valuable data has turned the computer storehouses into inviting targets for thieves.

Ono says universities have a significant responsibility when it comes to the information they maintain.

He pointed out that UC Davis participates in the UC Information Technology Policy and Security Officers Committee, which meet three times per year to discuss information security programs and policy. The committee consists of representatives from each UC campus. "Leading-edge security approaches developed by UC campuses are shared at these meetings," he says.

In addition, UC Davis participates in Educause, an organization of higher education institutions that focuses on the use of information technology.

When UC Berkeley learned of the laptop theft, it had to contact affected individuals to comply with a state law requiring that consumers be notified if their Social Security numbers or other sensitive information have been breached — information that could be used to obtain loans or conduct other business falsely.

The Berkeley incident was yet another in a string of incidents where large organizations have lost control of personal information that they keep in databases. And this was the second time in six months that UC Berkeley was involved in a theft of personal information.

Recent breaches have also occurred at Lexis-Nexis, a data storehouse where computer hackers obtained access to the personal information of 32,000 people; and Chico State University, where a computer hacking job exposed 59,000 people to potential identity theft.

Universities have accounted for 28 percent of the 50 security breaches of personal information recorded by California since 2003, said Joanne McNabb, the chief of the state's Office of Privacy Protection. That is more than any other group, including financial institutions, which have accounted for 26 percent of breaches affecting Californians.

Ono looks forward to the upcoming IT Security Sympo-sium. He says Microsoft's Charney will discuss future security challenges and responses to those threats.

Greg Loge, director of information technology for the College of Agricultural and Environmental Sciences, says the main challenge facing campus IT professionals is gaining the support from departments, colleges and administrative units to provide the necessary resources and staffing to secure their unit's systems.

"Providing a secure computing environment requires a concerted effort by campus units to adequately staff, fund and support the changes necessary to secure systems and keep them that way," he explains. And it is important. Loge adds, that faculty and staff abide by the security standards if they are to yield the desired benefits.

See http://itsecuritysymposium.ucdavis.edu for event details.