Mandatory Computer Security Changes

UCSD
CAMPUS NOTICE
University of California, San Diego

OFFICE OF THE CHANCELLOR

January 30, 2007

ALL ACADEMICS AND STAFF AT UCSD (including UCSD Medical Center)

SUBJECT: Mandatory Computer Security Changes

Many of you have likely heard about the recent UCLA computer security breach. While the UCSD campus has devoted substantial efforts to improve our computer security infrastructure over the past few years, the UCLA incident has highlighted the need to be even more diligent in this area.

In order to maintain the integrity and security of our campus systems, we need to take the following measures:

* Immediately review processes considered vulnerable

* Review and change our computer applications to ensure that they are secure

* Take action to minimize the use of sensitive data

* Adequately protect such sensitive data where it must exist

We are asking you to take the following specific actions:

1. Fully comply with the UCSD network minimum standards. Noncompliant systems will be removed from the campus network until they conform to the standards. This includes employee-owned systems that connect remotely to the campus. See http://blink.ucsd.edu/go/networkstandards for more information. Note: new, stricter minimum standards will be announced soon.

2. Scan for and eliminate all sensitive data unless it must be stored by law or UC policy. Such systems include databases, spreadsheets, Word/PDF documents, e-mail, and other types of files. See http://blink.ucsd.edu/go/secureinfo for definitions and examples of sensitive data.

3. If sensitive data must be present, work with campus security experts to protect the data. Good guidelines can be found at http://pci.ucsd.edu and our security experts can be reached via email at security@ucsd.edu.

4. Review your own departmental web applications for security vulnerabilities. A training session for application programmers and system administrators will be held on February 16 and during Sharecase on March 28.

5. Be ready to tolerate transitional problems as we limit access and modify systems that put us at risk.

If you have any questions regarding this notice, please contact Gabe Lawrence, ACT Data Security, at glawrence@ucsd.edu or Charlotte Klock, ACT Data Center Director, at cklock@ucsd.edu.

Marye Anne Fox
Chancellor