[ISN] ASU streamlining tech security policies

InfoSec News isn at c4i.org
Wed Nov 9 01:05:56 EST 2005 

http://www.asuwebdevil.com/issues/2005/11/08/news/694815

By Brian Indrelunas  
November 8, 2005

Officials say ASU needs more streamlined computer-security policies,
and students can help update or rewrite those policies online.

Speaking at a panel discussion Thursday, Detective Terry Lewis of the
ASU Department of Public Safety said he came across many different
procedures for dealing with possible computer crimes when he seized
approximately 20 hard drives during a Secret Service investigation in
June 2002.

"There's no one coordination or policy for all the different IT
departments," Lewis said. "I got yelled at because I stepped on some
toes, but I needed to get those hard drives right away."

Investigators said they found illegal software installed on the seized
machines that logged all information typed into the computers.

The man arrested in connection with the case may have accessed
personal information belonging to 29 ASU students and employees, The
State Press reported in 2003.

Some of the computers were seized from the Computing Commons, which is
run by Information Technology, but computers were also taken from
other campus departments with their own IT staffs.

Forensics expert Bill Kalaf said ASU should come up with specific
processes to be followed, and employees should document any actions
they take.

Joe Askins, the director of security planning for central IT, is one
of a number of people looking at how to improve ASU's technological
security.

One possibility, Askins said, is to write a set of specific procedures
to accompany the security policies included in ASU's Computer,
Internet and Electronic Communications policy.

But that policy went into effect in September 2000 and has undergone
little revision since.

"Obviously, security threats and vulnerabilities, requirements and
everything else and tools have changed in the past five years," Askins
said.

Instead, a new set of security policies may be on the way, he added.

Computer security is one of eight focus areas in ASU's long-range
technology plan, which is being developed in an open, online
environment.

University Technology Officer Adrian Sannier is drafting the plan on a
site that uses the same technology as Wikipedia, an online
encyclopedia that allows any user to edit its pages.

Anyone who creates an account on the site can analyze strengths,
weaknesses, opportunities and threats regarding ASU's computer
security or the other sections.

"We want to make this as open a project as possible so it gets the
best results," Askins said.

Askins and other designated moderators are working with the submitted
information to draw up an assessment of ASU's computer security.

 From there, a plan will be developed.

"We're all working toward Adrian's goal of having a somewhat completed
[plan] by the end of the calendar year," Askins said.

The online collaboration site, known as a wiki, can be accessed
through Sannier's Web site, http://adrian.sannier.net.

More information about the ISN mailing list