Minutes

CIT, October 14, 1997

The meeting was called to order by Pat Moran at 4:00 p.m.

Attending: Lee Norris, Tim Covey, Jack Wilkerson, Paul Escott, Michael Warren, Rick Matthews, Bob Evans, Steven Wicker, Pat Moran, and Rhoda Channing. Lee Norris and Tim Covey attended to address committee concerns regarding network and data security.

Discussion of faculty meeting, e-mail

Before considering the principal topic of security, the committee briefly discussed the faculty meeting of the day before. Several members voiced the need to carefully study what mail client should be recommended for next year's standard load.

Security

Next, the committee turned to data security. Pat noted that, contrary to perceptions of some of us, IS does not have the ability to read users' hard drives. We have not implemented remote system administration. Pat has seen ways of using weaknesses to access your hard drive. He expressed concern that some information if it became public would be damaging to individuals and to the university. Examples of such information are notes on disciplinary matters and on sexual harassment complaints. Another risk is loss of data because of poor backup procedures.

Tim Covey noted that if your computer is turned on and connected to the net, anything is possible. Lee Norris observed that there is always a hole in any operating system. He further observed that security is a hierarchy of layers; the greater the protection, the less convenient the system. The administration system is far more secure than the academic system due the sensitive nature of the information it holds. The only known penetration of the administrative system has been by individuals who had obtained passwords from authorized users.

Committee concerns fell into three categories:

Liability

The consensus of the committee that liability is not of primary concern for responsible users. Reasonable and prudent protection means not leaving your computer with sensitive files in a public lab, but it does not mean disconnecting from the network.

Privacy

Privacy of files and communications is a serious concern. While most of us are not concerned about the privacy of most of our communications at present, secure communications will permit us to address a greater range of issues in e-mail. Several members expressed the belief that any mail system we adopt should include the option of encryption.

Lee shared with us that the ability to encrypt any file is included as a part of the standard load! None of the members had been aware of this possibility.

Rick stated that he thought that the risk of someone breaking into our offices or tapping our phones is greater than the risk of having our files read over the network. Rhoda responded that we need a comprehensive education campaign that would make users more sensitive to all such security risks.

Data loss

All members agreed that few users were diligent about backing up data. Pat related the story of a faculty member at a nearby institution who loss both his computer and his backups in a single theft. Part of the problem is lack of discipline (all committee members included!) but part of the problem is that backing up is not convenient.

Lee stated that users with AC accounts were free to backup their PC's to AC. He would prefer to set up home accounts on an NT server instead, with quotas. He stated that the NT servers have higher speed network connections than Ac. Lee stated that he thought that 20 Mb of backup space would be appropriate. Rick Matthews favored 500 Mb - 1 Gbyte, with two older backups of similar size in storage. The backups do not need to be instantly retrievable.

Lee and Tim are going to study network backup options and report back to the committee.

The meeting was adjourned at 5:15 p.m.