The university community will redouble information security efforts in the wake of a breach of several servers reported earlier this week.
In a letter today to senior leaders, President Steven Leath and senior vice president and provost Jonathan Wickert called on faculty, staff and students to take seriously the responsibility of protecting Iowa State's information systems and the data stored on those systems.
Security breach details
They also laid out a plan to tighten information security on several fronts, ranging from routine scans of university systems for protected information to stronger password requirements for the university community.
"It is important that we remain vigilant," the president and provost wrote. "Even one person, clicking an unknown link in an email, could unwittingly enable a serious attack on our IT network."
Plans to enhance info security
The letter notes that chief information officer Jim Davis will oversee efforts to ensure that university information is protected and managed appropriately. Key to those efforts is implementation of ISU's new proposed Data Classification Policy, which provides higher standards for protecting university information.
As part of the new information security plan, university officials will:
- Use identity detection software to find protected information that is stored on campus servers, desktops, laptops, storage systems and email, and ensure that the requirements of the data classification policy are met
- Review the business process requirements, access procedures and preservation of protected information in central business systems, and move to strengthen information security in those areas
- Establish strong password standards on all university systems
- Encrypt all university-owned laptops
- Scan campus systems more proactively for known bugs and software vulnerabilities
- Provide the university community with educational resources, workshops and training about information security
What happened
Information technology staff discovered a breach affecting five departmental servers on campus. An extensive analysis revealed the compromised servers contained Social Security numbers of 29,780 students enrolled at Iowa State between 1995 and 2012 and another 18,949 students' university IDs. While officials don't believe students' personal information was the target -- the hacked computers had been infected with software used to create digital money -- Iowa State began notifying and offering free identity protection to all affected students on April 22.
