Wednesday, January 12, 2011
UH request for $1.9 million for security should be weighed against its responsibilities
by Larry Geller
The University of Hawaii says it needs $1.9 million to tighten its Web security and lessen the chance of future data breaches of individual privacy.
In addition, the 10-campus system would need about $764,000 a year to maintain and operate the upgraded system, said David Lassner, the university's vice president for information technology.
[Star-Advertiser, Securing data will be costly, UH says, 11/12/2011]
I could not attend the Senate informational briefing yesterday at which UH said it will need big bucks to improve its data security. It’s not my intention to dispute anything said there.
But the data breaches that made the news should not have taken any money to prevent. Senators should think carefully whether UH should be let off the hook for its mistakes. Certainly, implementing overdue security monitoring should not be allowed to become a profit center.
An earlier article here pointed out that the professor (now retired) who is scapegoated for the most recent breach (almost 41,000 student social security numbers, etc.) should not have been given that information to begin with.
The “one bad apple” defense doesn’t hold up well. In fact, the breach began earlier—when that data was given by the University to the professor in the first place. It was not necessary to have given him social security numbers—all he needed was the basic data for his research, identified by a random record number.
The other two incidents also originate from failures of UH to protect personal information. The hacked data on 15,000 Kapiolani Community College students who applied for financial aid was stored on the computer unencrypted and accessible to a hacker. The parking lot breach, affecting 53,000 people, 40,870 Social Security numbers and 200 credit cards, was also a UH failure at base: The personal information, including social security numbers, should not have been collected or stored in the first place, and again, was not protected by encryption.
Bottom line: do things right in the first place.
From today’s news article:
Lassner said a national adviser on higher-education information security visited the campuses recently and told UH officials that security was being underinvested.
If so, Lassner has to account for that lack of investment.
Very good points.
And the fact that this exorbitantly high $$ amount is all of a sudden needed is an indicator of the time and extent that UH has been negligent.
But you are right about the scapegoating.
The $$ʻs proposed uses have to be examined and fancy IT consulting sharks need to be put on a shelf.
This is just like other "utilities" failing to perform basic functions while pocketing or squandering the existing resources, then claiming emergency, new rules needed, new equipment needed, new jobs needed.....NEW YOUR MONEY needed!