Several UW System schools still need better-defined policies to protect sensitive data against computer security breaches, an April 4 audit said.
The audit said UW System schools must create policies on what kind of data needs more protection and must perform periodic checks on vulnerabilities in computer networks.
Other necessary improvements include campuses hiring a full-time information security officer and formalizing a response to security breaches, according to the audit.
UW-Madison, UW-Milwaukee and UW-Whitewater are the only UW System schools that currently have a full-time information security officer, the audit said.
The audit said security breaches often cause significant financial problems for colleges, with lost data forcing universities to pay insurance costs for affected employees. It said breaches would cost $90 to $100 per affected record in incidents that might involve tens of thousands of records.
Computer security breaches affected more than 4.7 million students and staff around the United States from 2005-'07, according to the audit.
UW System spokesperson David Giroux said the audit would be reported to the Board of Regents at its Thursday or Friday meeting. He said it would not be a contentious issue for discussion, as the incidents in the audit have been previously reported.
Brian Rust, communications manager for the Division of Information Technology, said UW-Madison currently performs checks on the campus networks by using the same scanning maneuvers as hackers.
Rust said if a computer or departmental network is found to have a vulnerability, then it is disconnected from the main campus network until the problem is solved to eliminate the risk.
He said the security checks need constant updates because hackers are continually improving their methods, similar to burglars.
If you are trying to break into a home, the stronger the locks get, you have to employ different methods to get around [them],"" Rust said.
Jim Lowe, chief information security officer on campus, said officials are focused on protecting restricted data like health insurance information and other data hackers would use for identity theft.
Campus officials must protect certain types of data because of federal laws like the Health Insurance Portability and Accountability Act, Lowe said.