GEORGIA INSTITUTE OF TECHNOLOGY
THE EXECUTIVE BOARD
Held in the Poole Board Room of the
Members Present: Boyd (Stu. Servcs); Clough (President); Evans (GTRI); Henry (OSP); Horton (GTRI); Jayaraman (Mgt); Kahn (CEE); Mark (CoC); Peterson (ECE); Swank (GTRI); Telotte (LCC); Uzer (Phys.); Warren (EDI); Norville (G. Stu); Watson (U. Stu); Alexander (Staff Rep); Abdel-Khalik (SoF).
Members Absent: Agrawal (ChE); Allen (Arch); Chameau (Provost); Marr (Psy)
Larry Kahn (Chair) opened the meeting at .
He called for approval of minutes
The Chair called on Mr. John Mullin, Assoc. VP-Information
Technology, to present an overview of recent activities in the information
security area. A copy of the slides used in Mr. Mullin’s presentation is
attached (See Attachment #2 below). Mr. Mullin began by describing the recent
The potential impact of the incident, including possible legal action,
criminal activity, and financial risk, was assessed. In this case, because of the risk of personal
identity theft (credit card information), the system was isolated and law
enforcement was notified (GBI, FBI and the Secret Service). The unauthorized access was traced to the
In parallel with these activities, President Clough asked all campus
units to identify servers hosting sensitive information. The survey indicated that there are 97
servers around the campus that contained information covered by the Family
Educational Rights and Privacy Act (FERPA); five servers had health information
covered by the Health Insurance Portability and Accountability Act (HIPAA), 106
servers had financial information covered by the Gramm-Leach-Bliley Act (GLBA),
and 12 systems contained credit card information. These 220 sensitive data servers are
maintained by 39 different Academic, Research, and Administrative units around
the campus. Mullin indicated that
information security has always been important to Georgia Tech because of our
dependence on Technology, and that over the past several years we have made
significant investments (both people and tools) to improve our security. He pointed to the intrusion detection system
which detected the
Mullin described the “Layered Security Approach” for securing Georgia Tech’s information technology infrastructure, including both non-technical and technical measures. The non-technical measures include: (1) Education, awareness, and training for students, faculty, staff, and the CSR/CSS community, (2) Policy development: a campus security policy is in place; unit-level policies tailored for unique practices and requirements of each unit are to be developed (with OIT assistance) before the end of the calendar year. Additionally, policies dealing with unit servers housing sensitive information, wireless access, data access, data retention, and back-up and recovery operations are to be developed or revised; and (3) Risk management, including unit-level self assessment, business process review for sensitive servers, system acquisition reviews, centralized vulnerability assessment, and internal audits. Mullin described the Technical measures involved in the layered security approach. He indicated that the aim is to “re-architecture” our network to create different environments, which limit/control access to different zones (the educational domain, student domain, administrative domain, and private services domain), and described the layered access (viewing versus manipulating of data) for the administrative domain. He indicated that these network architecture changes are aimed at implementing the policy and business practices to be established. He described the layered firewall structure to be used to secure sensitive data and transactions on critical servers, and indicated that such measures are not affordable (or appropriate) for all servers. Mullin concluded by providing a list of references for “Sensitive Data Compliance and Regulation” (Attachment #2b), and indicated that the Educause website (www.educause.edu) offers a useful legal perspective on IT security for higher education.
A question was asked as to what needs to be done to make faculty and students aware of this issue. Mullin responded by indicating that OIT makes presentations on the subject during FASET (presentations to be expanded); they are also involved in the PSYC 1000 course and are working with advisors for students living in residence halls to offer a training course for incoming students, as well as a “refresher” on security awareness. They also publicize the issue through articles in the Technique, town hall meetings, and brown bags, which will be expanded in the coming year to raise the students’ awareness of the issue. Presentations are frequently made to various faculty groups, and department meetings. He indicated that communications are the key to enhanced awareness, and that “peer pressure” may be important since those who do not practice “good security” place everyone at risk.
The President commented that Rob Clark (Director of internal auditing) recognized IT security as a potential problem sometime ago, and began including an IT part in the audits. He has now hired specialists that look specifically at the IT part. This is important because the Board of Regents, the State, and Federal Auditors have such specialists, who will be looking at this aspect of our operations.
A question was asked as to whether GTRI is covered by the new security measures. Mullin responded affirmatively, and indicated that Charles Brown (Associate Director, GTRI) was a member of the top-level committee that developed the campus security policy a few years ago. OIT will be working with IT personnel in the various GTRI labs to develop the policies and implement the technical measures. A question was asked as to whether the security of the grade reporting process from professors to the Registrar has been checked. Mullin indicated that the BANNER system is secure, and that transactions between clients and the BANNER system are also secure.
Mullin indicated that the security measures to be implemented will require
substantial investments (nearly $1M to put the security architecture in place
plus additional personnel), and that initial attention has been focused on
systems which pose the highest risk; a phased plan has been adopted. A question was asked as to whether any
incidents of identity theft have resulted from the
The Chair thanked Mr. Mullin for his presentation.
3. The Chair called on the President to comment on matters of interest to the Georgia Tech community. The President offered the following comments:
a. We had the largest graduating class this spring; we had two commencements one in the morning for undergraduates and an afternoon commencement for graduate students; the speakers (Senator Elizabeth Dole, and Dr. Julie Gerberding) were outstanding. The President invited comments/suggestions to improve the graduation ceremonies.
b. The State budget process ended on a positive note. While there were no salary increases, there were no additional cuts in our 04 budget beyond the $18M we have had. On the positive side, the Legislature has fully funded the formula; we expect to receive significant additional revenues from formula funding because of our enrollment increases. That will depend on how the Board of Regents allocates the funds. We are fairly confident that Chancellor Meredith will equitably allocate these funds and that we will receive our fair share, which will reduce the impact of the $18M in cuts we already have. We have also received $1.4M in funding for the GTREP program, which is strongly supported by the Legislature.
c. The Board of Regents will decide on the tuition levels when they meet next week.
d. Together with Presidents from six other leading universities, we have had discussions with two Undersecretaries of the Department of Homeland Security (Hutchinson and McCreary) regarding the new reporting requirements for foreign students and visitors. The changes may take some time; however, based on the reception we have received and the follow-up from DHS, we are optimistic that the issue will be positively addressed.
e. We have had ongoing discussions regarding SARS and
how to handle any cases that may occur on our campus; we have had no cases so
far. We have cancelled three study
abroad programs in high risk areas this summer, and are collaborating with
other universities to develop a sensible policy. Today, the
f. There are searches in progress to fill several important positions; the search for GTRI Director is in the final phases -- a short list with four finalists has been identified by the search committee and the final visits are being made at this time; the search for the Director of Admissions is also in its final phases. We also have a search underway for a person to lead our emergency response activities; the person in that position will report to the Director of Campus Security.
g. The Environmental Science and Technology building
will be dedicated this Friday. It will
house several units including Chemical Engineering, and EAS. A major donation to the building was made by
Ford; Mr. Edsel Ford will be on hand to help dedicate the building. We are also planning a major event for the
A question was asked regarding security at the
The Chair called on Dr. Green, Chair of the Graduate
Curriculum Committee, to present action items requiring Board approval in
behalf of the Academic Senate. Dr. Green
distributed copies of the
A question was asked as to how many other PhD programs in Bioinformatics
exist around the country. Borodovsky
indicated that there are nearly twenty PhD programs in that area. He also indicated that since 1993, the School
of Biology at Georgia Tech has implemented a PhD in Biology with concentration
in Bioinformatics, and that in 1997 the College of Sciences at Georgia Tech
proposed and established an MS program in Bioinformatics, the first of its kind
in the United States. Borodovsky indicated
that successful candidates to the new PhD degree programs must be admitted by
one of the participating units. A
motion to approve the
5. The Chair informed the Board of the need to extend the current term of the Institutional Review Committee for Assessment of Academic Programs by one year, in order for the committee to complete its work on integrating the Program Assessment process within the overall faculty governance structure. This effort was described to the Board at the last meeting. A motion to extend the term of the Institutional Review Committee for Assessment of Academic Programs till August 2004 was approved without dissent.
The Chair called on Dr. Ron Rousseau (Chair,
A question was asked as to whether the Schools of Biomedical Engineering
and Biology had been consulted on this matter, and what their responses were. Rousseau indicated that the Dean of the
The Chair called on Dr. Anslem Griffin (Chair,
8. The Chair informed the Board that the June Board meeting has been canceled.
9. The Chair called for any other business; hearing none, he closed the meeting at .
Secretary of the Faculty
Attachments (to be included with the archival copy of the minutes)