An administrative restructuring following three network security breaches has resulted in the dissolution of one university department as part of an effort to improve network security that will cost Ohio University millions of dollars.
As of May 19, the Office of Computer Services has been dissolved and its employees were incorporated into other departments in an attempt to streamline the process of running the university's network, said Bill Sams, associate provost for information technology and chief information officer. As a result, Communication Network Services has been renamed Computer and Network Services.
We're reorganizing on more functional lines
Sams said.
The departmental restructuring resulted after three network security breaches that compromised the Social Security numbers of about 137,000 alumni and donors and 60,000 student medical records, which also contained the students' Social Security numbers.
Prior to the security breaches, the university did not place enough emphasis on network security, Sams said. As a result of the breaches, the university has realized it reached a critical point in budget cuts, he added.
The distribution of network responsibility also was poorly designed, Sams said. Two departments, Computer Services and CNS, were responsible for maintaining the network, which created conflict.
The design resulted in competition Sams said.
Because the university is still in the first stages of conducting an investigation to determine how the servers were illegally accessed, it has yet to be determined how exactly the breaches happened, Sams said.
It's also still unclear if employee or departmental negligence contributed to the data breaches. However, yesterday consultants contracted by the university began to survey the data breaches and conduct interviews with university employees to determine what, if any, individuals or departments were responsible for the breaches.
The audit team will present its findings to the OU Executive Cabinet and the OU Board of Trustees in three weeks. Sams said he is keeping an open mind pending the results of the investigation.
The university is also in the process of conducting security audits to determine the extent of the breaches and secure the network from future incidents. So far the university has spent $500,000 on software and hardware and $300,000 on outside consulting and has paid for more than 5,000 man-hours, Sams said. He added that the entire process likely would cost the university millions of dollars.
The university audit so far has not detected any additional breaches, but Sams said, I've still got concerns until we finish analysis early next week.
Three independent security-consulting groups, including consultants from Internet Security Systems Inc. and two other groups that Sams declined to name to avoid revealing the nature of the audit, will assist the university with the process.
A request for a risk assessment audit is being constructed, Sams said. That audit will take a comprehensive look at the university's IT department, including budgeting and structuring.
The rash of security breaches began after the university was alerted of an incident with a server at the Innovation Center, 340 W. State St., by the FBI on April 21. Two days later the university discovered a breach on an alumni server. That incident compromised at least 137,000 alumni and donor Social Security numbers.
The alumni server, thought to be offline, was still active through a series of events, Sams said. However, previous university press releases in regard to this incident stated that the compromised Innovation Center server was thought to be offline, instead of the alumni server.
At the Faculty Senate meeting May 15, OU President Roderick McDavis speculated that the alumni server breach might reduce the number of donations to the university.
The most recent security breach, which was reported in a May 11 Post article, compromised a server at Hudson Health Center and, as a result, made the medical records of all OU students, and some faculty and staff, since 2001 vulnerable. In that breach about 60,000 identities, including Social Security numbers, have been compromised and are at risk of potentially being stolen.
Immediately following the discovery of the breach, the server was taken offline and has remained offline. Hudson has moved to a paper system, pending the completion of the security audit, and an audit to determine the university's compliance with Health Insurance Portability and Accountability Act, Sams said.
The U.S. Department of Health and Human Services is investigating the matter for HIPAA compliance, according to a spokesman. The FBI also is still investigating the breaches.
17
Archives
Sean Gaffney
