Cyber-attacks Take Aim at Universities
Massive cyber-attacks hit the news every week: Target, the University of Indiana and the University of Maryland are recent examples. Breaches are all too real, frequent, and costly within industry and higher education. This short video from President Wallace Loh of the University of Maryland highlights consequences and damage from very sophisticated cyber-attacks experienced on his campus last month. He discusses the need to achieve balance between centralized versus decentralized IT systems, and observes “Our University's entire cybersecurity system is only as strong as its weakest link.” It takes three minutes to view his remarks.
Here at UT Austin, we are keenly aware of the security challenges within our distributed IT environment. Some systems on campus meet stringent security requirements, and some do not. The Executive Compliance Committee recognized that a policy change was needed to reduce UT Austin’s IT risks by requiring commodity IT servers to transition to the University's virtualized environment or be co-located in the University Date Center (UDC). The goal of this policy is to reduce the overall risk of cyber-attacks by increasing physical security and information security in accordance with existing University IT standards. Costs of virtualization and co-location in the UDC are highly subsidized for the foreseeable future to motivate adoption, and in many cases units have reduced operational costs by moving services to the data center.
Last month, Gregory Fenves, Executive Vice President and Provost, and Kevin Hegarty, Vice President and Chief Financial Officer, announced the change in University policy requiring all commodity IT services be either physically or virtually located within the University Data Center. The policy change applies only to commodity IT services. “Commodity” IT servers are defined as “web servers, mail servers, file servers, database servers, and directory servers” in colleges, departments, and units. This policy goes into effect September 1, 2014, to enable campus time to plan and transition. Of course, not all IT services fall into this category and exception requests can be filed with the Information Security Office.
Members of the campus community have the legal and moral responsibility to do everything possible to protect the University's digital assets and reduce the risk of cyber-attacks at UT Austin. As the campus implements the policy change published in the Information Resources Use and Security Policy, the safety and security of the University’s vital information resources will be better protected.
Please contact the Information Security Office if you have questions or concerns about with this policy change, or ideas to helpfurther improve information security on campus.