The exposure of sensitive information to hackers detected in July could have been prevented if UNC had adopted guidelines developed by Information Technology Services in the past several months.
ITS has been issuing guidelines on data security best-practice measures for months, and it posted drafts of them online about a month ago as unofficial recommendations.
In the wake of the security breach, ITS is pushing to implement the measures more quickly.
The attack allowed outside access to personal information of more than 236,000 women who were participating in UNC’s Carolina Mammography Registry.
“If people had been following these policies, I think we could have avoided a lot of this,” said Assistant Vice Chancellor for Information Security William Cameron at Monday’s meeting of the faculty executive committee.
The guidelines include dozens of pages of documents that incorporate security measures ranging from requiring contracts before sharing information with outside entities to describing password requirements.
ITS doesn’t have the power to set or enforce official security policy, Cameron said, which is something they would like to correct in the wake of the hacker attack.
Cameron also discussed Monday how stronger security might affect professors and researchers.
Beside obvious questions of personal security, having an insecure network could also hinder the University’s grant proposals, which often require that the University guarantee adequate safeguards. If UNC can’t reassure grant donors, it might see research dollars drop.
ITS members said fixing the problem is more complicated than just investing in new software, and new policies would take time and effort to implement. They will discuss their efforts at the next Faculty Council meeting Friday.
“You can’t write a check to fix this,” Cameron said. “You’re going to need support from the top down.”
He said ITS’s enforcement would take on an assistance role, helping faculty members implement unfamiliar policies.
Executing greater security faces significant obstacles. Faculty members admitted to being confused sometimes by technical requirements and said they saw security measures as unnecessarily problematic at times.
“Security is a pain,” said Joe Templeton, special assistant to the chancellor and former chair of the faculty. “But I think we all need to step up to the plate and say security breaches are a disaster, and we’re going to have to work to avoid them.”
Contact the University Editor at email@example.com.