UH brings in national expert to improve systemwide information security

University of Hawaiʻi
Tina Shelton, (808) 956-9803
External Affairs and University Relations
Posted: Dec 9, 2010

HONOLULU - Cedric Bennett, a national expert in information security for higher education, is helping the University of Hawaiʻi evaluate and improve its information security practices.
Bennett, information security director emeritus at Stanford University, conducted face-to-face meetings last week in Hawaiʻi, interviewing leaders, staff and faculty within the university system and its campuses.
“I’m conducting an independent, high-level review of the security posture of the University of Hawaiʻi,” he said. “Campuses nationwide are discovering that improving security is not just an information technology issue, it’s a challenge to the traditional higher education culture."
Based on his analysis of UH and understanding of higher education practices, Bennett will identify current information security weaknesses and provide a recommended list of priorities for action.
UH System Vice President for Information Technology and Chief Information Officer David Lassner expects to receive Bennett’s preliminary report before Christmas. Lassner’s office is taking the lead on developing a systemwide plan to improve security throughout all ten UH campuses.
“Bennett’s external review and recommendations will ensure that we are aligned with best practices in colleges and universities,” said Lassner.
Bennett praised UH for taking action beginning in 2002 to eliminate the use of social security numbers (SSN) as student identifiers with the implementation of its systemwide student information system as well as the elimination of the SSN as the employee ID.
But at UH, as at every college and university, the SSN is still a necessary data element for tax reporting, for payroll, for financial aid and other specific purposes. UH has been working to locate and remove or secure information from the many decades in which the SSN was the sole identifier and was in wide use throughout all UH campuses.
Unlike organizations such as banks and hospitals, “servers and databases in higher education are highly decentralized," said Bennett, who noted that “UH is not unique in this regard.” There are hundreds of servers throughout UH campuses managed at the department and college level.
While current UH policies outline the requirements for eliminating sensitive information where it is not required and securing it where it is needed, there have been limited resources for security implementation throughout the 10 UH campuses. Lassner observed that “Bennett’s recommendations on how to provide stronger central support and oversight in an academic environment will be helpful in guiding the shifts in practices necessary at UH.”
"From my visit last week, it is clear that both UH system and campus leadership at the highest levels understand that systemic improvements are necessary, that additional resources are required, and that there will need to be changes in the completely decentralized approaches that have prevailed at UH and many other institutions,” said Bennett.
A preliminary plan and budget for systemic improvements in security will be prepared by early January 2011.