University of Maryland Unsure of Security of Sensitive Student Information

University of Maryland Office of Information Technology issued a report revealing that sensitive student information stored on university computers may be vulnerable to hackers, and the university lacks an information recovery plan in the event of a disaster.

In the report, issued at an Information Technology Council meeting, the council marked "Security Plan" and "Information Assurance for Protected Information" in red, meaning both topics lacked criteria such as funding or staff.

Council members are unsure how much it would cost or how long it would take to solve the problem, and committees have just begun to examine possible solutions.

Chief information officer, Jeffrey Huskamp, said this semester the council wants to make sure there is protection for computers in advising offices where sensitive student records are kept, including Social Security numbers.

The IT Council plans to conduct a survey of academic and administrative departments on the degree of sensitive information held in each office. The council will put more emphasis on building protection for the departments that say there is a great deal of sensitive information.

The questions about information security on this campus follow a January incident at nearby George Mason University, where a hacker gained access to students' information, including Social Security numbers, prompting an FBI investigation.

This university replaced Social Security numbers with university ID numbers last semester for certain functions such as advising and intramural sports, but many students continue to use their Social Security numbers as their primary means of identification.

Security awareness, providing information for students to prevent security problems, received a green, or high, rating in the IT Council's report. Huskamp cited NEThics as the catalyst for awareness, which frequently provides students with information on security and copyright issues.

But the lack of a "Disaster Recovery Plan" prompted another red rating. Technological disasters can be caused by electrical outages or battery failure, which can lead to information loss, Huskamp said.

Many institutions safeguard against disasters by signing a contract with special services vendors that could provide special computer equipment in an emergency, Huskamp said.

The council plans to establish funding for a contract by late April.

They are also examining how to update the Testudo website to make it more personalized and comprehensive.

The council will meet again March 30 and in May.