Timothy Vollmer

Alex Kanous
SI 621 Research and Fact-Finding Assignment
December 4, 2006

University Laptop Information Security Policies

For our research assignment, we have looked at the issue of data sensitive to the
University being stored or accessed on laptops and the risks such situations bear for the
institution. To this end we have examined existing university-wide policy and interviewed
departmental-level officials responsible for both implementing those policies as well as
department specific versions.

Stakeholders

The stakeholders in this issue comprise a large group, the members of which shift
depending on whether a University-wide or department specific focus is utilized. First, and most
obvious, the entity most concerned with the security and potential abuse of sensitive information
in the University of Michigan itself. As will be addressed later, the inadvertent release of certain
types of information can result in substantial liability for the institution, not to mention the loss
of reputation. At the individual level, the information security officers of ITSS (Information
Technology Security Services) are primary stakeholders. These staff members are responsible
for developing broad information management policies like the Standard Practice Guides as well
as examining information issues for potential concerns. Due to the extremely decentralized,
federated nature of the University, these general policies are then left to the individual
departments or schools to implement. Those department or school level individuals tasked with
this implementation are thus likewise stakeholders. Since the policies passed down by entities
such as the ITSS are generalized in nature, these individuals are also responsible for creating and
implementing department and school-specific policies that address their particular needs.

Related to these stakeholders are the Information Security Coordinators (outlined in

Standard Practice Guide 601.25) who are tasked with evaluating and responding to information
security incidents, the data stewards who are responsible for the integrity of data, and UM media
relations who must run interference and public image damage control when necessary. There are
also staff that ensure compliance with federal regulations such as FERPA (Family Education
Rights and Privacy Act), HIPAA (Health Insurance Portability and Accountability Act), and
FOIA (Freedom of Information Act). While the departmental level policy officials mentioned
above are oftentimes also the systems and security administrators (like Vlad at SI), in cases
where this is not the case such individuals also have a stake in issues of sensitive information.
They are the ones responsible for creating the technological protective measures for this data as
well as providing access to faculty and staff. This latter category of individuals, who are the
primary users of the information, are also stakeholders. Those that are given or utilize university
laptops are particularly relevant to our issue.

The final stakeholders that we identified are perhaps the most readily apparent – the
individuals to whom this sensitive information relates and the attackers that seek access to it.

1
Depending on the specific department discussed, the former category might include different
stakeholders. At the medical school for instance, the stakeholders would include patients
(medical records), while at schools and departments like SI, the stakeholders would primarily be
students (student records). As an extension of this, further stakeholders might include
prospective students or patients. Their views of how information is maintained and exchanged
will influence whether they choose to attend or become a patient. Finally, an attacker who aims
to steal or corrupt data, and is thus either foiled by sufficient policies or enable by insufficient
ones, is another stakeholder in this equation.

Technology

The technologies involved in our case study include physical protection, local data
encryption technologies for laptops, the departmental servers that house databases of sensitive
information, and the web-based interfaces for those databases. First, we see an analog
technology in that users of the laptops are expected to physically protect their computers from
theft, such as by locking office doors while laptops are inside. A novel measure is the MToken,
a flash drive-sized artifact that can be carried on the user’s person and generates a continuously
changing access code that is keyed to a particular user’s access. An additional physical measure
for the safeguarding of sensitive data is the proper destruction and disposal of storage devices,
which is variously accomplished via a literal shredding or magnetic wiping of the hard drive.

Next, laptop users may encrypt their laptop hard disks in order to make it more difficult
for attackers to retrieve information. Basic forms of such encryption are now standard options
with operating systems such as Windows. Finally, and most relevant in our case, there has been
a progression towards using web-based access to a centralized server as a way to ensure that
large databases have no need to be kept locally on laptops. In this way, faculty, staff, and
researchers are able to upload information to a database in a well-protected server through the
use of a website or other web interface. We have noticed that departments have a varying degree
of knowledge and incentives to use these new technologies. Some departments like the medical
school encrypt all data and use web-based tools to manage data, while other departments use
lesser degrees of protection for data. We’ve also noticed that there are few technical barriers that
prevent laptop owners from downloading data sets from servers onto their laptops. Instead of
enacting barriers and policies that restrict access, systems administrators have focused their
energies on providing the information, education, and tools for laptop owners that will hopefully
enable them to make good decisions about protecting the information they are able to access and
download to their computers.

Legal Issues

Legal concerns regarding the maintenance and protection of sensitive information on

university laptops revolve around the various regulations concerning this information – FERPA
primarily and HIPAA in regards to the medical school and hospital. Additionally, FOIA poses a
problem as information requests must be carefully vetted so as not to result in the inadvertent
release of sensitive information. While allowing sensitive information to be released poses a risk
to the reputation of the University, non-compliance with these regulations can result in the loss
of funding or criminal punishment for the University.

2
 FERPA, for instance, denies funding from any U.S. Department of Education program
for an educational institution “which has a policy or practice of permitting the release of
education records” (20 U.S.C. 1232g(b)(1)) or “which has a policy or practice of releasing, or
providing access to, any personally identifiable information in education records” (1232g(b)(2)).
In either situation, written consent by the student, or the parent if the student is under 18, is
mandated prior to the release of such information. Some allowance is given for the release of
“directory information” without prior consent, but as this information is by definition non-
sensitive (1232g(a)(5)(A)), it’s not relevant to our case study.

HIPAA provides harsher penalties than the potential loss of federal funding. Under that
statute, the knowing use of an individual health identifier or the disclosure of “individually
identifiable health information to another person” can result in fines of $50,000 (up to $250,000
if done maliciously or for commercial use) and up to 1 year (10 years) in jail (sec. 1177). Even
the unknowing disclosure of identifying information can result in fines of $100 per incident, to a
total of $25,000 in fines in a calendar year (sec. 1176).

Existing Policies

Throughout our interviews and fact-finding process, we’ve realized that there are few
specific policies concerning information security on laptops within the University of Michigan
system. Beginning at the top, security policies are decentralized. According to Paul Howell, the
Chief Information Technology Security Officer at Michigan, there is no one-size-fits-all solution
to the problem of information security, especially concerning laptops. Since the university is so
large and departments so diverse, no generalized policy could effectively address this
environment. Additionally, as technology and its capabilities evolve so quickly, a narrowly
focused policy is unlikely to outlive its own implementation. Instead, University-wide policies
focus on addressing unchanging themes and persistent issues and give the departmental deans the
leeway for determining the best security solutions for their own programs. Howell and ITSS are
able to work with these department heads in conjunction with risk managers in order to create a
useful (and cost effective) information security plan. They are able to provide necessary
education, incident response support and compliance directives to create tailored information
security programs. In this way, ITSS is able to supply tools and resources so that individual
departments can hopefully make informed decisions.

Security administrators at the Medical School, Engineering, and School of Information

echoed this support-based role. Some departmental information policies are set-up in order to
ensure compliance with standards set forth by HIPPA and FIRPA. Specifically concerning
laptops, departments like the Medical School and SI have set up certain technological measures
that limit the need for large, possibly sensitive information sets to be kept on laptops in the first
place – they have set up web-based interfaces that allow direct entry of information onto a
centralized server. This server, in turn, is protected by powerful encryption technologies
maintained by trained departmental security administrators.

A common theme on information security states that information should be protected

most vigilantly closest to its source. While the University of Michigan determines what pieces

3
of information shall be deemed sensitive, responsibility lies within each department in
determining which personnel will have access to each data set. At SI, access is granted based
upon a need to use the information (although one employee agreed that they feel they have more
access than they need).

Ethical Issues

The ethical issues in our case echo those embodied in the Fair Information Practices.
Though the applicable statutes don’t directly address minimization of data collection, they do
hold the institution accountable for the security of the data and the disclosure of information to
only authorized parties. In the case of FERPA, the opportunity for students or their parents to
review student records is explicitly called for and HIPAA moderates secondary use by imposing
stiff fines for the commercial use of sensitive individually identifying information. These
aspects of the statutes reflect the general overarching ethical concern in this case – the students’
trust in the University to appropriately manage and safeguard the sensitive information the
student or patient has entrusted in the institution. A final relevant principal of the Fair
Information Practices is that concerning education. As will be discussed in our recommendation,
educating staff and faculty of the seriousness of protecting sensitive information and of using
their access responsibly is of paramount importance.

Development Levels

Though we are addressing a policy situation at the University, rather than a specific
incident, an analysis of relevant development levels is important – in particular impulse control
development. Information that is readily accessible runs the risk of being perceived as less
sensitive. The installation of barriers of access that makes getting to information difficult
naturally fosters a respect for the importance of that information. In the situation at the
University of Michigan, where users have quick and ready access to sensitive information via
efficient technological access ways, this is a particular concern. As many policies rely on the
character of a mature user to know what access they’re allowed and the appropriate scope for
using that information, it is crucial that only those individuals with well-defined impulse
controls, who can resist the lure of easy access, are given such access.

Potential Actions

The most drastic, yet likely most secure option would be to attack the independent
policy-making functions of individual departments and schools and force the entire University to
abide by centrally-designed policies. The ITSS, or some evolved incarnation of it, could be
responsible for policy creation as well as the storage of all sensitive data. New sensitive data,
such as that generated from patient admissions or student applications, would be immediately
housed in this repository. Only selected ITSS staff would have access to this data in its entirety
and they would function as the gate-keepers through which departments would have to go to get
information they needed. Alternatively, these individuals could be tasked with the creation of
frequently used data sets (student contact information, transcripts, etc.) that have been carefully
purged of any sensitive components. Such a structure would no doubt provide the most secure
infrastructure for storing and distributing sensitive information, but it would also serve as a

4
substantial bottleneck. Also, as note previously, the diverse natures of the various schools and
departments would not be best served by a system such as this, which tries to force generalities
upon them.

An alternative spin on this central repository option would be to allow direct

departmental access to the information, but only by specifically identified staff or faculty. These
individuals would be the gate-keepers through which the rest of their particular department
would funnel their data requests. Such an arrangement would also benefit the centralized
organization (ITSS or otherwise) which could focus on the education and supervision of these
individuals. However, the federated nature of the University would once again prove an
impediment to such a structure as the centrally-defined policies would no doubt clash with the
freedom of action currently afforded individual departments and schools. Additionally, the cost
of implementing a system of supervision insuring that department gate-keepers were abiding by
policy would be high and require a significant expansion of the scope of ITSS.

Defensible Choice

Instead of proposing the types of dramatic restructuring suggested above, we believe that
in making recommendations for the security of sensitive information, particularly on laptops, we
need to look to existing policies rather than reinvent the wheel. Throughout the parts of the
university we examined, departments aimed to provide information security without enacting
restrictive new policies. Instead, they rely on more general university and departmental policies,
standard practice guides, and ethics in order to guide action. We see that applying existing
principles to current information issues can properly solve most information security dilemmas.
Information technologies change so rapidly that new policies to cover each new item would soon
become unmanageable. On the other hand, departments should also remain flexible in adapting
to novel technologies at which application of old standards seems inapplicable. In these cases,
administrators need to employ creative and critical thinking to determine whether new issues and
particularly novel technologies might call for a reanalysis of modification of security policies.

We believe that these ends can be achieved by providing the necessary technical and
ethical training in order to guide employees into making sound decisions concerning information
security, whether the security involves laptops or sensitive information in general. Open
communication, trust, and personal ethical behavior need to be stressed in order to help staff
make the best moral decisions when dealing with potentially sensitive information. Education
can be accomplished through broad awareness campaigns as well as through venues like faculty
meetings and technology training sessions. Systems administrators should be tasked with
maintaining knowledge of developing security tools and practices. All staff should properly
utilize disk encryption, which has now become extremely cheap. A “security map” – showing
the access granted to each departmental staff member – should be implemented and regularly
revised. There should be increased educational awareness concerning issues such as wireless
connectivity and remote access security. In relying on such an educational system, the
University would be able to maintain its federated nature, show its respect for its employees by
recognizing their integrity, and yet still foster a secure data environment.