The Observer, October 21, 2005
Volume XXXVIII, Issue 8
Chief Information Security Officer resigns after less than one year
Case students are known to be dependent upon their computers and Internet for information, communication, and entertainment. Ranked by Intel as one of the top 50 universities for wireless Internet accessibility, it would be reasonable to state that computing and technology have a significant influence on life at Case.
With thousands of users supported by the network, information is at a constant flow throughout the system, and security measures must be taken to ensure the safety and confidentiality of the systems. For this reason, the role of Chief Information Security Officer was created earlier this year upon recommendation by the university.
Rey LeClerc, former vice president of global information security at DoubleClick Inc. in New York City, stepped into the role approximately 10 months ago as the first Chief Information Security Officer at Case.
"At the time, it was a great opportunity for me, there was a need for this role, and there was much to accomplish in terms of information security," LeClerc said.
However, LeClerc announced his resignation on Monday, Oct. 10, effective Oct. 14. In his letter of resignation, LeClerc stated his belief that under current circ-umstances, a Security Officer is not needed and advised a more distinct definition of the position. "The Chief Information Security Officer at Case is unfunded, unsupported, and under resourced. In the future, I would recommend a clear understanding of what is needed in this role," LeClerc wrote. "For starters, I would advise on (1) a commitment of resources, of both funding and personnel; and (2) better alignment and support of senior management."
During his time here, one of the first projects LeClerc completed was an assessment of information security measures. He discovered vulnerabilities in security and attempted to minimize them.
In terms of infrastructure, LeClerc found that Case does not require network users to change passwords. Users exist with passwords that not been changed in many years, including older passwords that were created before 1999, according to Leclerc's assessment. Pass-words become weaker as time passes and if a user has shared a password with another, the other party will have access to the account as long as the password is unchanged.
"As decided by the Faculty Senate, faculty do not want to have to change their passwords, and there is little that can be done about that," LeClerc said.
With the exception of the Law and Dental Schools, Case does not actively push anti-virus software or update it automatically for all users on the network. "We need a more proactive approach to solving this problem but we are faced with challenges such as funding and support," LeClerc said.
Though the Case community is notified of updated anti-virus software through emails from Information Technology Services (ITS), there is a chance that users do not check their email or follow the recommendations in it. "In the event of a virus outbreak, we need automatic updates of anti-virus software. This means that an administrator must push it down centrally so that the software will be updated for all users," LeClerc said.
Earlier in the semester, a breach in security was uncovered when a laptop containing information with personal identification information of all first year-students was stolen. Because the laptop was later found, it was assumed that the information was not accessed by the perpetrator and first-year students were not notified of the incident.
LeClerc was not in agreement with this decision. "Students should have been notified because we don't know if the information was accessed, it was only assumed that it wasn't and nothing has been done about it. There is a potential for identity theft if the information was accessed and students have a right to know that," LeClerc said.
On the other hand, university officials have certified that the computer was tested to ascertain whether the data file in question was accessed. Based on the inspection, the information was not accessed or compromised. Because the situation was determined as undamaging, students were not informed.
However, during the time that the computer was misplaced, a com-munication plan was readied. An e-mail alert, follow-up letter, a website with information regarding steps to avoid identity theft, and a hotline number was prepared if the computer was not recovered, according to ITS commun-ications manager Priya Junar.
According to LeClerc, in light of the recent budget cuts, projects related to security have been cancelled and new projects are at a standstill. With the lack of funding, improvements for information security at Case are hindered. "Over the past two years, there has been no movement to improve security conditions and little progress is being made," LeClerc said.
However, officials at ITS disagree. "Projects have not been dropped. Information security is a priority for the university at all levels," Junar said. Current projects include a continuation of educational and awareness campaigns, and the promotion of a strong password policy. In addition, Case is moving away from the use of Social Security numbers for access to university resources, according to Junar.
Case is currently looking for a replacement. The position was recently posted on the Case Human Resources website. LeClerc advises that the replacement should come with experience in academia because it is different from corporate environments.
