Dear Members of the University Community:
I write today to share some information related to our ongoing efforts to protect electronic data across our campuses. Though we have been diligent in taking steps to address this issue, the most recent data breach announced yesterday has clearly demonstrated that we must intensify our efforts.
To that end I will be leading a University-wide Task Force on data security and over the coming days will be working with individuals across our campuses on this effort. I expect that senior campus leaders and those with areas of responsibility crossing a variety of critical business, academic and research functions will be part of our team. I hope that together we can work not only to identify and inventory potentially vulnerable areas but also to implement practical changes to more securely conduct our work.
In addition to this process, our University Information Services (UIS) team has already been engaged in implementing enhanced information security measures across campuses. Efforts include reducing the use of social security numbers and using GOCard and NetIDs to identify individuals, providing secure laptops to individuals who perform critical business systems functions, providing a secure environment where all personally identifiable information can be hosted instead of on individual hard drives, and conducting desk top scanning of individual computers to identify and remove any personally identifiable information. UIS staff will be aggressively reaching out to individuals and departments, with priority on those who access financial data and personally identifiable information as part of their business functions, to conduct this work and I am asking you to be responsive and supportive of their recommendations.
As a reminder, all Georgetown employees are expected to abide by Georgetown University's Information Security Policy. Please read and review that policy and discuss it widely with your staff and colleagues.
If you are a manager, please take these steps immediately:
1. Make security a priority within your office, regularly discuss security related issues with your staff members and encourage them to bring forward concerns.
2. Review this letter with your staff. Discuss with your staff how they use confidential data, where it is stored, and how it is to be protected. Review your office's business processes on a regular cycle to implement best practices which call for the removal of social security numbers from all processes that do not require it.
3. Proactively engage UIS, University Counsel, Risk Management, and the Compliance Office when questions or concerns arise.
4. Maintain responsibility for the confidential data that you share with other University offices by asking how the data is being used and stored and affirming that it is not being re-purposed, shared, or stored insecurely.
In addition to our institutional steps, there are things that we can all do individually to secure data. I ask you to please do the following, and to ask your supervisor for assistance in taking the following steps.
1. Review all your computer systems
These include your laptop, desktop computer, home computer, or handheld mobile devices, memory sticks, and the drives and folders on them for social security numbers, credit card numbers or any other confidential information.
2. Delete all old files
While you review your data, you may not even know that you have a certain file containing confidential data. If you don't have a work- related need for it, don't keep it. Delete these files; and don't forget to check all your computing devices, drives and folders. Please contact the UIS Security Office to help you permanently remove the
files from your computer.
3. For files that you MUST keep
Old files that must be kept for archival or institutional record purposes must be moved to a safe secure storage space such as a Phoenix Enterprise File System drive. If your department does not have access to a Phoenix EFS drive, please contact the UIS Security Office immediately so we can give you access to a secure file system. Once you have copied these files to the secure location, do not forget to delete the original from your computer and back ups. Please contact the UIS Security Office to help you permanently remove the files from your computer. Assure that the office area where your computer devices are located is locked when unattended, even for short periods of time, even during the work day.
4. Users who are traveling
If you are required to travel for business purposes and carry social security, credit card, or confidential information, contact us immediately at the UIS Security Office so that we may best assess your situation.
5. Do not send confidential information via e-mail
Never send social security numbers, credit card information or confidential personal information via e-mail.
6. Do not use an unencrypted USB key or any non-GU device to store any
confidential data.
7. If you have an external drive, or memory stick or other removable
storage medium that you must keep for back-up purposes, please keep it
locked in your desk, or at a minimum, out of sight in a locked office
when not in use.
Should you have questions related to steps you can take to protect data personally or within your office, you may find information at security.georgetown.edu or call the UIS Security Office at (202) 687-3031. Thank you for your ongoing cooperation and assistance in our efforts to provide a secure data environment at Georgetown.
Sincerely,
Spiros Dimolitsas
Senior Vice President