More than 100 students in Iowa State's ROTC services (Army, Navy/Marines and Air Force) participated in a combined Change of Command Ceremony on central campus April 22. This annual military tradition, with the transfer of unit colors, represents a formal transfer of responsibility for a unit from one commanding officer to another. Photo by Bob Elbert.
The university community will redouble information security efforts in the wake of a breach of several servers reported earlier this week.
In a letter today to senior leaders, President Steven Leath and senior vice president and provost Jonathan Wickert called on faculty, staff and students to take seriously the responsibility of protecting Iowa State's information systems and the data stored on those systems.
They also laid out a plan to tighten information security on several fronts, ranging from routine scans of university systems for protected information to stronger password requirements for the university community.
"It is important that we remain vigilant," the president and provost wrote. "Even one person, clicking an unknown link in an email, could unwittingly enable a serious attack on our IT network."
Plans to enhance info security
The letter notes that chief information officer Jim Davis will oversee efforts to ensure that university information is protected and managed appropriately. Key to those efforts is implementation of ISU's new proposed Data Classification Policy, which provides higher standards for protecting university information.
As part of the new information security plan, university officials will:
- Use identity detection software to find protected information that is stored on campus servers, desktops, laptops, storage systems and email, and ensure that the requirements of the data classification policy are met
- Review the business process requirements, access procedures and preservation of protected information in central business systems, and move to strengthen information security in those areas
- Establish strong password standards on all university systems
- Encrypt all university-owned laptops
- Scan campus systems more proactively for known bugs and software vulnerabilities
- Provide the university community with educational resources, workshops and training about information security
Information technology staff discovered a breach affecting five departmental servers on campus. An extensive analysis revealed the compromised servers contained Social Security numbers of 29,780 students enrolled at Iowa State between 1995 and 2012 and another 18,949 students' university IDs. While officials don't believe students' personal information was the target -- the hacked computers had been infected with software used to create digital money -- Iowa State began notifying and offering free identity protection to all affected students on April 22.
Sarah Nusser, vice president for research, presented an overview of her office at the April 22 Faculty Senate meeting. Nusser, a 22-year ISU veteran and professor of statistics, started her new post in the reorganized office on Feb. 1.
"I've learned that the research funding environment is really changing radically," Nusser said. "The projects are larger and riskier, there's a greater emphasis on the full innovation chain -- from research to development to commercialization. While we want to continue to focus on traditional research funding, which is really important for the stature of research at Iowa State, we really need to look at different ways we look at funding and our research portfolio."
Although federal funding has "reached its limit of what it can do at this time," Nusser said there are more funding opportunities available through nonprofit and philanthropic organizations. Crowdfunding -- financing through a pool of backers -- also is gaining popularity, particularly with students.
Nusser said her office has a three-part focus for FY15:
- Expand funding for the Center for Excellence in the Arts and Humanities, with a focus on skills development and prestigious awards, and connecting with the sciences and engineering
- Establish a university-wide seed funding program with interdisciplinary, intercollegiate and interinstitutional opportunities
- Support and invest in large research groups
Nusser's office is hosting a pair of campus forums to gather input on research support, particularly during the pre- and post-award processes. The forums are:
- Wednesday, April 30, 8:30-10 a.m., Memorial Union Campanile Room
- Wednesday, May 7, 3-4:40 p.m., Memorial Union Pioneer Room
Feedback also can be submitted with an online survey, beginning April 30.
Veishea student response
Hillary Kletscher, the new president of the Government of the Student Body, also addressed the senate. She said the Veishea cancellation had a "huge impact on the student body."
Kletscher said a group of about 30 student leaders, outside of President Steven Leath's Veishea task force, also is working on the future of the spring event.
"We really think that an ultimate change can't really come from the university administration -- and I don't mean that in a negative way, but for the student body to really buy into something, it has to come from the student body," Kletscher said.
The group is working on how to create a "culture shift" away from unacceptable behavior and how to get that message to all types of students. Kletscher said they will continue to work over the summer, creating initiatives for next fall, and planned to send out a message on behalf of the student body April 22.
"It's a call to action to hold ourselves to a higher standard, but also to have students grab a friend and say, 'you're better than that, we're better than that, this is how we act as Cyclones,'" Kletscher said.
Four motions were unanimously approved:
- Name change for the genetics graduate program, to genetics and genomics (Ph.D. and master of science degrees)
- Name change for the bioengineering minor program, to biomedical engineering
- Name change for the agricultural history and rural studies graduate program, to program in rural, agricultural, technological and environmental history (Ph.D.)
- Discontinuation of the history of technology and science graduate program (Ph.D. and master of arts degrees)
Four new items were introduced for a vote next week, including:
- Revisions of the charge provided for the outcomes assessment committee to better define its scope and activity
- Proposed bachelor's of science degree in early childcare, education and programming, an online degree offered by a consortium of seven universities aimed at a "mobile" student audience, including military families
- Requested name change for the integrated studio arts department, to the department of art and visual culture
- Revisions to the Faculty Handbook (chapter 2.8.1), clarifying the path for approval of a name change for an academic unit
Stephanie Downs joined Iowa State April 15 as the university's first wellness coordinator in university human resources. She will work with internal and external partners to advance the university's wellness initiatives, including the coordination, implementation and evaluation of health and wellness programs. In addition, Downs will be involved in local and state health initiatives, such as the Healthiest Ames and Healthiest State projects.
Previously, Downs was the health promotion coordinator for the city of Ames. She holds a bachelor's degree in exercise science from Iowa State and a master's degree in health promotion from Nebraska Methodist College.
Downs' office is in 3680 Beardshear Hall. She can be reached at 4-8902 or email@example.com.
Student enrollment could be a primary consideration in allocating state funds among Iowa's three public universities under a very preliminary funding model discussed April 17 by a state Board of Regents task force. But the five members of the task force are divided, at least for now, on whether to count all students or in-state students only.
Meeting since October, the task force was asked to investigate a funding model that's based on performance measures, not simply tradition, as is the case now. Dating back to the 1940s, the current model divides the state appropriation on a perceived 40 percent/40 percent/20 percent (Iowa State/Iowa/Northern Iowa) split. This year's $479 million general education appropriation is divided on approximately a 36 percent/46 percent/18 percent split, mirroring at least the last decade.
Which students to count?
"This is the general education appropriation we're talking about. I think it has to follow the Iowa kids," said Mark Oman, retired senior executive vice president of Wells Fargo and Co. and Northern Iowa's appointee to the task force. He argued that other state funding lines help pay for mission-specific responsibilities – for example, a medical hospital or extension -- at the three schools.
"Iowa dollars support Iowa kids," concurred Cara Heiden, retired co-president of Wells Fargo Home Mortgage and Iowa State's appointee. "That feels good to me as a taxpayer."
"That's a good political slogan, but it doesn't embrace all the things we need to consider to make good policy," said Len Hadley, retired CEO of Maytag Corp. and Iowa's appointee. "I can't understand how we would build budgets without counting 35-40 percent of the students [a reference to nonresidents]."
He argued that recruiting out-of-state students is a boon to this state and that "Iowa dollars should follow Iowa scholars."
Hadley suggested an enrollment metric that counts all students and weights graduate and professional students to acknowledge the higher costs of instruction in, for example, Iowa's five health colleges. He said graduates of the state's professional programs in medicine, veterinary medicine, dentistry and law "make a huge contribution to our state and are leaders in their communities."
Regent Katie Mulholland, the board's appointee to the task force, noted that tuition levels and differential tuition provide the needed dollars to offer more expensive programs. She said that Iowa and Iowa State collect four times the tuition of Northern Iowa. Mulholland proposed that state funds follow only resident undergraduate students.
Noting that funding disparities exist "relative to resident students," task force chairman and former regent David Miles suggested a "starting point" that allocates dollars based on total resident student enrollments. But he also favored weighting graduate students "because the workforce data says we need to incent graduate degrees."
Oman said that focusing state dollars on resident students wouldn't discourage nonresident student recruiting. "Iowa and Iowa State succeeded at recruiting out of state when state funds were based on nothing. The universities still benefit financially from recruiting out-of-state students."
Hadley warned that providing state funds only for resident students "sets us up to have the Legislature reduce our overall state funding."
Fall 2013 enrollment
Source: Each university's fall enrollment data
Measuring outcomes, too
In performance-based funding, enrollment is considered an input. Task force members discussed allocating 60 percent of the general education appropriation according to enrollment data, with the remaining 40 percent distributed according to outcomes. Four outcomes they looked hard at last week were:
- Student progress toward degree, measured in credit hours completed (10 percent of funds)
- Access to education, measured by targeted audiences served, for example, first-generation college students, transfer students or federal Pell grant-eligible students (10 percent)
- Student graduates (all levels) placed in jobs in Iowa (10 percent)
- Custom outcomes (university-specific), including board-directed (10 percent)
Requirements for any formula
The group's discussion began with outlining its premises for any new allocation formula. Members agreed that its metrics should:
- Be measureable and transparent. How they're counted should be consistent across the three schools.
- Be straightforward and easily understandable. Complexity may inhibit implementation.
- Be equitable. They should recognize the unique missions of the three universities without favoring any one of them.
- Link directly to the board's priorities as defined in its strategic plan and other documents
- Be consistent, reliable and predictable so the universities can run projections and build their futures
- Demonstrate accountability to legislators, the governor and Iowans
The task force will meet for what is expected to be the last time on May 5 to finalize a performance-based funding recommendation for the board. In the meantime, board staff are running calculations on various iterations of a funding model and retrieving other data for the task force. The task force also has yet to recommend to what portion of the general education appropriation a new formula would be applied -- all or some fraction.
A final recommendation is scheduled to be presented to the regents at their June 5 meeting in Ames.
Information technology staff announced April 22 they had discovered a breach affecting five departmental servers on campus. An extensive analysis has revealed the compromised servers contained Social Security numbers of 29,780 students enrolled at Iowa State between 1995 and 2012.
There’s no evidence any of the data files were accessed, and there was no student financial information in the records. The servers were hacked by an unknown person or persons who intended to generate enough computing power to create bitcoins. Bitcoins are a type of digital money that can be used to buy merchandise anonymously.
“We don’t believe our students’ personal information was a target in this incident, but it was exposed,” said senior vice president and provost Jonathan Wickert. “We have notified law enforcement, and we are contacting and encouraging those whose Social Security numbers were on the compromised servers to monitor their financial reports.”
In addition, Iowa State is reaching out to another 18,949 students whose university ID numbers were located on the compromised servers. University IDs are generally used in combination with a password, and have no use beyond campus. The exposure of these numbers poses no financial threat, Wickert said.
Individuals whose personal information may have been exposed are being notified by mail this week.
Free, expert help in identity protection
The university has retained AllClear, a national firm that specializes in identity protection, to assist those affected by the breach. AllClear representatives, available at 877-403-0281, are knowledgeable about how to watch for and deal with identity theft and fraud.
For those with exposed Social Security numbers, Iowa State will purchase one year of credit monitoring. Those who wish to do so may opt for a second free year of monitoring at the end of the first. This service can be activated through AllClear.
How to know if you may be affected
The compromised servers contained Social Security numbers of some students who took a class in:
- Computer science (1995-2005)
- World languages and cultures (2004, 2007, 2011-2012)
- Materials science and engineering (one class only in ENGR101 in fall 2001 and MATE214 in spring 2001)
Two other servers – one located in agricultural and biosystems engineering, and a second in materials science and engineering – were accessed, but they did not have any files containing personal information.
What’s being done to secure information
The five compromised servers are network-attached storage devices made by Synology. Other Synology users have reported similar (bitcoin mining) attacks by criminals. Iowa State has thoroughly examined all information on the compromised servers. Any files containing SSNs or other personal student information have been deleted.
Out of an abundance of caution, the university has decommissioned, removed from the Internet and destroyed compromised servers. Other servers of the same type are no longer accessible through the internet, have received software updates to prevent hacking, and will be replaced as soon as possible.
University officials are accelerating implementation of Iowa State’s new Data Classification Policy, which provides enhanced security standards and guidance.
The Information Technology Services team will work to improve security on mobile computers by encrypting information stored on them. ITS also will begin a process to improve network security by implementing stronger password standards.
The university has begun deploying software that regularly scans computers, servers and other devices to locate protected information.
“Iowa State has always taken information security very seriously, and we will continue to take every possible action to safeguard the personal information of those who learn and work here,” Wickert said. “We have well-regarded cyber defense experts here who not only protect university data, but educate others on how to prevent computer attacks. Unfortunately, Iowa State is not immune to hacking, but we are disappointed and sorry for the inconvenience this incident may cause.”
Be vigilant of phishing scams
Iowa State University, the ISU Foundation and the ISU Alumni Association regularly and legitimately request information from students, faculty, staff and alumni. However, no one from Iowa State will ever ask for your Social Security number over the phone or via email.
If you suspect fraud or question whether a request you receive is legitimate, please contact the ISU Foundation at 515-294-4607, the ISU Alumni Association at 515-294-6525, or Iowa State’s computer security team at firstname.lastname@example.org.
About 20 winning designs, plus accessories and illustrations, from this month's student-produced fashion show go on exhibit next week in the apparel, merchandising and design program's Mary Alice Gallery. "The Fashion Show 2014" exhibit opens April 28 and runs through Aug. 29 in 1015 Morrill.
At the April 5 event, the "Best in Show" award and its $1,000 cash prize went to senior Whitney Rorah for her collection of white, cream, pink and salmon-colored wedding gowns (pictured). Rorah started the eight-gown collection during fall semester in her senior design studio class and loaned three of the dresses for this exhibit.
An opening reception will be held Monday, April 28 (4:30-6 p.m.) in the gallery. The Mary Alice Gallery is open to the public Monday-Friday, 11 a.m.-4 p.m. Submitted photo.