Story originally posted to The Red and Black on March 7, 2014
By Michelle Baruchman
Information security spaces is one of the biggest areas of concern for the University of Georgia, said Brian Rivers, an associate chief information officer for information security in Enterprise Information Technology Services.
Rivers said a variety of student records are housed in different information systems with different security postures across campus but where the systems are located is less relevant than who can access the information.
“The goal is to keep the information on a need-to-know basis,” Rivers said.
Rivers said the media used to record student information depends on the process.
“A lot of the information has been moved to an electronic medium, but we are an old institution, so there are a lot of old paper records that are still out there,” he said.
Derrick Henderson, a former student employee of the UGA registrar’s office, was accused of committing fraud by stealing students’ financial information from printed files to make purchases in more than one county. He is charged with 32 counts of financial identity fraud and 19 counts of financial transaction card fraud in Athens, Ga. said Jimmy Williamson, UGA police chief.
Rivers said the medium through which Henderson gained entry is not as significant as the access he was granted.
“Whether it has been a paper record or an electronic record, the fact is that the employee chose to abuse his access,” Rivers said. “And people should not have access to a system if they don’t need that access.”
Still, Rivers said there is a high amount of security protecting student information.
Although Rivers did not want to go into detail about security measures, he said UGA follows data classification standards that show which types of information are considered to have different security levels and what controls are applied.
There are four different levels of classification – information about Social Security numbers, credit card numbers and health and financial information has the most stringent requirements for security.
“Depending on the levels of security requirements, you’ll have a different longevity of that information,” he said.
The longevity, Rivers said, could range from about seven years of administrative records to a lifetime for other types of records.
“UGA preserves certain records past graduation for transcript requests, for instance,” Rivers said. “If you graduated, we have to be able to prove you were a student here. We need to retain those records for that kind of information, and that can go back quite some time.”
Rivers said for schools similar to UGA, it is relatively common to keep records in the same way.
“UGA follows the record retention policy set under the university system of Georgia that the board of regents has established for how long to keep a record,” he said. “And the types of records you keep depend on the type of business you conduct.”
If a student decides at some point to request to keep certain records private, Rivers said there is a formal process a student can go through.
“Information that is publicly available does not have enforced deletion requirements because it has already been released to the public,” River said. “But students can choose to opt-out of directory information disclosure.”
Rivers said there is still a lot of work to be done, but the university has been spending a lot of energy and effort on minimizing the handling of personal identifiable information.