Skip Navigation Links
As mentioned in the "Copyright and Information Security" article in this issue, October is "National cyber security awareness month." In keeping with that theme, we decided to reprint this article from the July 2004 issue of Benchmarks Online.
Although the article is several years old, the information is still accurate. See the article "Writing in Water" in this issue for further discussion on computer back ups. -- Ed.
By Dr. Philip Baczewski, Director of Academic Computing and User Services
A June 2004 report from the Texas State Auditor's Office (SAO) concluded that higher education institutions should do more to protect research data. The findings of their report included the following observation:
The report goes on to detail data losses due to inadequate backup and disaster recovery, as well as productivity losses resulting from the introduction of a computer worm via a laptop computer attached to the campus network.
Hazards to research data
Hazards to research data fall into three categories: loss of data because of inadequate backup can impede completion of a research project and possibly result in a loss of intellectual property which could be patented and licensed for commercial development; unauthorized access to research data can result in the violation of research participants' privacy or in the theft of intellectual property; operational interference to computer systems (virus or worm outbreaks, or inadequate disaster recovery) can delay or prevent completion of funded projects or impede delivery of research related services.
The SAO audit report offers the following recommendations to safeguard research data.
UNT has a number of policies which support the achievement of the standards recommended above. The "University of North Texas Computer Use Policy" defines standards for password management and system access security. The "UNT Information Resources Security Policy" provides guidelines for controlling access to information resources and preserving data integrity.
Policies on their own, however, will not secure systems or data, so it is necessary for both the central technical departments and the researcher to take actions to protect research data. Research systems managed by ACS are backed up for purposes of disaster recovery, with a three-week retention period on backed-up files. Backups happen once per day and are not intended as an archive. Data archiving remains the responsibility of the individual researcher (for more about backups, see "Writing in Water" in this issue of Benchmarks Online).
What is being done?
The Computing and Information Technology Center (CITC) Security Team does regular scans of the campus network to identify vulnerable systems which could compromise the security or operation of the campus network. It is particularly important that users of MS Windows workstations protect not only their UNT-owned systems, but their personally-owned systems as well, since data is often share between them both. The CITC provides access to current versions of virus protection software to campus as well as personal systems. More information can be found at the UNT Virus Webpage.
Practices are being developed to enforce use of more secure password strings and password aging for central systems, especially those which use an EUID and enterprise password for login. Those practices will be phased in during the Fall 2004 semester, but in the mean time, it is important for researchers to use secure passwords which are not names or dictionary words. In addition the College of Arts and Sciences has begun using password-protected screen savers on their College-supported Windows systems.
If you are managing your own workstation, it is important to keep up with application of security updates. Windows, Mac OS, and most Linux distributions have methods for downloading and applying the latest updates. Unpatched systems have historically been most vulnerable to the compromise or loss of data.
While the CITC provides support and guidelines for safeguarding data, it is ultimately the responsibility of the individual researcher to safeguard their data. Research data should be backed up and archived at its primary storage location, which is usually the faculty research workstation. But backup of data is not the only responsibility of researchers. Being mindful of password and operational security issues will promote a computing environment which safeguards data and ensures continuity of the research process.