Phoenix Copwatch
Home | Contact

  Original Article

ASU streamlining tech security policies
Students asked to help form new rules
by Brian Indrelunas published on Tuesday, November 8, 2005

Officials say ASU needs more streamlined computer-security policies, and students can help update or rewrite those policies online.

Speaking at a panel discussion Thursday, Detective Terry Lewis of the ASU Department of Public Safety said he came across many different procedures for dealing with possible computer crimes when he seized approximately 20 hard drives during a Secret Service investigation in June 2002.

"There's no one coordination or policy for all the different IT departments," Lewis said. "I got yelled at because I stepped on some toes, but I needed to get those hard drives right away."

Investigators said they found illegal software installed on the seized machines that logged all information typed into the computers.

The man arrested in connection with the case may have accessed personal information belonging to 29 ASU students and employees, The State Press reported in 2003.

Some of the computers were seized from the Computing Commons, which is run by Information Technology, but computers were also taken from other campus departments with their own IT staffs.

Forensics expert Bill Kalaf said ASU should come up with specific processes to be followed, and employees should document any actions they take.

Joe Askins, the director of security planning for central IT, is one of a number of people looking at how to improve ASU's technological security.

One possibility, Askins said, is to write a set of specific procedures to accompany the security policies included in ASU's Computer, Internet and Electronic Communications policy.

But that policy went into effect in September 2000 and has undergone little revision since.

"Obviously, security threats and vulnerabilities, requirements and everything else and tools have changed in the past five years," Askins said.

Instead, a new set of security policies may be on the way, he added.

Computer security is one of eight focus areas in ASU's long-range technology plan, which is being developed in an open, online environment.

University Technology Officer Adrian Sannier is drafting the plan on a site that uses the same technology as Wikipedia, an online encyclopedia that allows any user to edit its pages.

Anyone who creates an account on the site can analyze strengths, weaknesses, opportunities and threats regarding ASU's computer security or the other sections.

"We want to make this as open a project as possible so it gets the best results," Askins said.

Askins and other designated moderators are working with the submitted information to draw up an assessment of ASU's computer security.

From there, a plan will be developed.

"We're all working toward Adrian's goal of having a somewhat completed [plan] by the end of the calendar year," Askins said.

The online collaboration site, known as a wiki, can be accessed through Sannier's Web site, http://adrian.sannier.net .

Reach the reporter at brian.indrelunas@asu.edu.