The University of Arizona
The UA Seal

IT Security

M E M O R A N D U M

TO: Campus Community
FROM: Robert N. Shelton, President
SUBJECT: IT Security
DATE: February 21, 2007

In January 2007, the University discovered a rather serious computer system security breach, which resulted in the disruption of service in two units, the Libraries and Procurement and Contracting Services. With the dedicated work of many people across campus, who spent many hours fixing the compromises to our computer systems, most of the services in these units have been restored, although residual work still is taking place to ensure a full recovery. I greatly appreciate the efforts of those involved for acting swiftly and concisely to remedy the situation.

The expansive nature of this event has greatly heightened security issues, which must become a very high priority for all of us. Many lessons were learned, pointing to action we must take as an institution to prevent this from happening again. Securing a campus of this size and complexity is not easy; particularly while protecting and maintaining the integrity of our scholarship, research, and outreach missions. Many actions will require ample time and discussion before implementation. The purpose of this memo is to communicate the actions, authorities, and accountabilities we have identified to better prepare us in the future.

Action:

1. Please review and adhere to Interim IT Security Policy and all other IT-related policies, which can be found online at http://security.arizona.edu and http://policy.web.arizona.edu.

2. Units must take any and all actions that reduce their exposure to compromise of university and personal data of any kind. These actions include but are not limited to:

  • Evaluating all personally identifiable & confidential data and, where feasible, removing it. Securing all data that must remain.
  • Meeting at a minimum the best practices identified in the Interim IT Security Policy.
  • Establishing unit specific policies and procedures as needed.

3. The Office of the Executive Director of the Center for Computing & Information Technology (CCIT), the Learning Technology Center (LTC), and the Office of Student Computing Resources (OSCR) will compile a list of services, applications and data that is not centrally located at CCIT. A formal call will be made with details and a defined response deadline.

4. CCIT, working very closely with campus units, will start implementing other security measures such as firewall protection, network access control and other such systems as deemed appropriate. CCIT will act in cooperation with all units, but they must cooperate and comply with these actions.

5. All units must review and update their preparedness plans to determine whether they could sustain activities should their systems be breached.

6. CCIT has begun developing a plan outlining a series of recommended actions to be taken over time. I would like the results of this preliminary planning to be expanded into a detailed description of further action with resource requirements and timelines. The Office of the Executive Director of CCIT, LTC, and OSCR, with the assistance of campus IT groups, will be responsible for coordinating the actions of this plan.

Authority:

1. CCIT has the authority to audit (planned and off-cycle) all colleges and support units, their servers, workstations, applications and network systems.

2. CCIT has the authority to require changes to the above.

3. CCIT has the authority to remove those systems from the network if they fail to comply with requirements and requests within the time frame specified.

4. CCIT has the authority to require validation of system cleanliness before any system can be returned to the network.

5. CCIT is authorized to take temporary ownership of department IT organization in the event of a compromise that will impact the campus. This ownership is for the purpose of response, compromise evaluation, remediation and restoring activities.

6. All Vice Presidents, Deans, Directors, and Department Heads have the management authority and are expected to take appropriate actions to comply with IT and Security Policies.

7. Under the guidance of CCIT and as agents of CCIT, network managers and IT infrastructure staff are authorized to take necessary actions related to matters of IT security that have been deemed appropriate by CCIT management.

Accountability:

1. Vice Presidents, Deans, Directors, and Department Heads will be held accountable for non-compliance with policy, including incurring the costs of CCIT resources needed to respond to issues if they fail to meet the criteria set forth in the security policy.

2. As stewards of the campus network infrastructure, CCIT will – within its ability – attempt to protect the campus from network attacks while providing a network that supports the educational mission of the University.

Unfortunately, we have come to a point where we must move from the "open environment" to which our community has become accustomed to a more controlled and audited environment that more effectively secures our campus in a consistent, standardized manner, without limiting academic freedom. The actions we take as an institution to protect the University's information assets must be secure, practical, and sustainable. Security is everyone's responsibility. Thank you for your cooperation.