Effective Management of Information Security and Privacy

In May 2005, hackers broke into Stanford University’s Career Development Center, gaining access to Social Security numbers, résumés, financial data, credit card information, and government information for 10,000 students and recruiters. In the same month, 380,000 students, alumni, faculty, employees, and applicants of San Diego State University were affected when hackers broke into four of the university’s business and financial services department servers, gaining access to Social Security and driver’s license numbers. In January 2005, hackers broke into George Mason University’s campus identity card server and gained access to the names, photos, Social Security numbers, and campus ID numbers of 59,000 current, former, and prospective students, as well as current and former faculty and staff. The list goes on, and no university seems immune to these attacks. For many universities, such events have served as wake-up calls to develop a comprehensive information security and privacy strategy. This is no simple task, however. It involves balancing a culture of openness with a need for security and privacy. Recognition of the diverse stakeholders—parents, students, applicants, alumni, staff, faculty, third parties—and their sometimes competing interests is both vital and difficult. Regulations, community expectations, ease of access to records, and increased cyber-threats demand an aggressive strategy while imposing sometimes heavy financial Effective Management of Information Security and Privacy