CIO Closes Data Barn Door

A year ago, Ohio University suffered an embarrassing incident of comprised personal data. Now the CIO brought in to clean up the mess is articulating the measures he's taking to beef up network security. They sound familiar.Still, this makes me glad. I'm a graduate of Ohio University, and my personal information was among the alumni data comprised by hackers. The compromise actually stretched back at least a year before that, when hackers first started using the university's servers for their nefarious ends.

After the university finally discovered the hacker attacks, it started looking for a new CIO. It tapped Brice Bible, then interim CIO and assistant VP for information technology at the University of Tennessee, who started in Athens, Ohio, last April.

Today I received an e-mail release from Ohio University with this subject line: "CIO unveils new university IT plan." The plan lays out these priorities:

"Bible and his team have set a goal of $8 million in additional funding over five years, $2 million of which the Ohio University Board of Trustees approved for this first year. The bulk of these investments will go toward hiring 11 new staff members in the first year, and most of the remainder will support improved hardware systems, Bible said."

My son now goes to Ohio University, so I hope that doesn't mean an increase in tuition. As for security, it said this:

"To continue improving security this coming year, additional internal firewalls will supplement the perimeter to protect sensitive information, and the university will continue to eliminate the use of Social Security numbers wherever possible. When Social Security numbers are essential, OIT will encrypt them. To bolster security, Bible also is calling for tighter policies and procedures governing such areas as data classification, identity management and disaster recovery."

Sounds like your bread-and-butter security initiatives. Even Bible said the new measures amounted to necessary incremental improvements:

"The university began taking strong action a year ago to improve IT security," Bible said. "This plan builds on those efforts by articulating the key initiatives needed to carry information technology to a level of reliability and security that we all expect."

I might gripe that I expected this level of security and reliability a year ago, before my personal data was open to perusal by marauding miscreants. But I guess that's the point.

What do you think? Is there more Ohio University could be doing, security wise?