Date: March 5, 2004

To: Deans, Directors, Department Chairs

From: Marilu Goodyear, Vice Provost for Information Services and Chief Information Officer

Subject: KU Information Technology Security Policy

Attached is a link to the KU Information Technology Security Policy, approved by the Provost. Please make sure your staff is aware of the requirements outlined in this policy.

The purpose of the policy is to outline the steps necessary to secure information resources, and to establish protocol for timely resolution of information technology security incidents at the University of Kansas-Lawrence campus.

Today's Information Technology Security Context

The University mission and strategic initiatives are enhanced as students, faculty and staff use technology, the Internet, virtual classrooms, anytime-anywhere remote access, business and student administration systems, and strong, reliable high-speed network infrastructures. In many cases, the mission's success depends on the availability of these resources, and ultimately on how well they are secured and protected. This is the reason KU has developed the Information Technology Security Policy.

Information technology security breaches have become common around the world, and universities are especially attractive targets due to the significant computing resources on campuses. As a result, critical university computing resources, including research, patient care, and student data, are at risk, and university computing devices have been virtually hijacked by cyber-criminals to launch cyber-attacks both within and outside universities. The risks posed by hackers and other cyber-intruders to our academic mission are serious. The loss, corruption or unauthorized access to information on our local systems could greatly hinder campus work. Like many university campuses, KU is detecting an increase in unauthorized attempts to access its network and computer systems.

The campus community shares a responsibility to secure computers and networks and to respond quickly to threats to the integrity of systems and data. One vulnerable, unsecured device can make the entire KU network vulnerable. An unsecured computer in one department can easily be used as a springboard to launch attacks on computers in other departments or on the Internet. While it is not possible to anticipate and intercept all attacks, specific and consistent security procedures can help significantly reduce our vulnerability. These security procedures are effective, however, only if they are applied to all devices in KU's network.

Technical Liaisons

As a dean, director, or department chair, you recently were asked to appoint a Technical Liaison for your unit. Almost all units now have done so. Thank you to those who have already appointed your technical liaison! If you still need to designate your technical liaison, please contact Jenny Mehmedovic, Coordinator of IT Policy and Planning, at jmehmedo@ku.edu. The Information Technology Security Office has developed certification training for the Technical Liaisons, as outlined in the policy, and will notify designated staff when the training is offered this spring.

IT Security Education Offered for Managers and Staff

The IT Security Office also offers general security awareness sessions to educate staff at all levels about security concerns, risks, and available resources, both for the University and individual units.

If you are interested in providing a security education session to managers and staff in your unit, or if you have questions about this policy or about KU information security, please contact Jenny Mehmedovic, Coordinator of IT Policy and Planning, at jmehmedo@ku.edu, or 864-4999.