Snowfall and a stolen laptop

Abstract

The E. Phillip Saunders College of Business (COB) Dean at Rochester Institute of Technology (RIT) discovers that his RIT-issued laptop has been stolen from his home. He notifies Dave Ballard, a member of the College of Business IT staff. Ballard, still acutely aware of two recent incidents in which laptops containing thousands of Social Security numbers were stolen from the RIT campus, hopes the Dean’s laptop does not contain personally identifiable information. If so, the incident would need to be reported to the New York Attorney General’s Office, and RIT would be required to pay for a credit monitoring service for individuals whose identity may have been compromised. The case provides an opportunity for students to examine processes that should be triggered when an information security incident occurs. The case describes incident response processes that were triggered at RIT and technologies that were used or could have been used by COB IT staff to track the laptop and protect its contents. In discussing the case, students can consider how the theft of a computing device exposes an organization to risks of inadvertent disclosure of information in different categories (such as private, confidential, internal, or public), and students can derive useful guidelines for effective information security incident response.

Appendices

Appendix A

Excerpt from the reporter (RIT student-run publication)

More stolen RIT Laptops: second major student data breach. (by Alyssa Kenny)

With the aroma of turkey on the horizon tickling at their noses, approximately 1000 students were greeted over Thanksgiving break with a letter from RIT explaining that their personal information was at risk. On 17 November, ‘three laptops were discovered stolen from a locked storage area’ on the RIT campus, the letter stated. The laptops were said to contain personal information.

It is believed that the laptops were stolen sometime between 7 November and 14 November. It is alleged that two of the computers contained confidential student information, including some students’ names, dates of birth, and social security numbers. RIT Public Safety and the Monroe County Sheriff’s office are currently investigating the theft.

According to the information that RIT sent out to the affected students, the university ‘is acutely aware of the need to secure sensitive data. RIT continuously reviews practices in place to protect sensitive data.’ To aid in highlighting the importance of protection as well as to alleviate some of the stress the incident may have caused, RIT is providing each affected student with a free 1-year trial of Experian’s Triple Alert. Triple Alert is a credit-monitoring product, which will monitor the student’s credit reports at Experian, Equifax, TransUnion, the three main national credit reporting companies. RIT hopes that the affected students will take advantage of this opportunity to have the product identify potentially fraudulent use of their information and ensure their protection from identity theft.

According to a Federal Trade Commission survey, identity theft is the fastest growing crime in America. Last year alone, 9.9 million victims were reported.

Electronics are a hot commodity at RIT. At a school as electronically dependent and technologically renowned as RIT, it is imperative for students to protect their electronics and identity from theft and hacking, and for everyone to guard against potential laptop theft.

Appendix B

Excerpt from University News (RIT News and Public Relations Division)

College of design and architecture STOLEN LAPTOP

RIT recently discovered that personal information was on a laptop computer stolen from the National Technical Institute for the Deaf on 25 August. The information included names, dates of birth, and Social Security numbers.

Note: Letters were mailed to those affected. This information security alert does NOT affect the entire RIT community, but a specific population. This includes about 12,700 individuals who have applied to enroll at the National Technical Institute for the Deaf (dating back to 1968). Another 1100 members of the RIT community have also been impacted. Again, people affected have been notified individually.

A toll-free hotline has been established at 1-866-624-8330. You will be able to call this number through a relay service. The hotline will be available from Tuesday, 2 September, through Friday, 26 September, and you may call from 9:00 to 21:00 (Eastern Time) on weekdays, and on Saturdays from 10:00 to 16:00.

Appendix C

Figure C1

Figure C1

Partial RIT administrative organization chart.

Appendix D

RIT information security policy

The information assets of Rochester Institute of Technology (RIT) must be available to the RIT community, protected commensurate with their value, and administered in conformance with federal and state law. Reasonable measures shall be taken to protect these assets against accident or unauthorized access, disclosure, modification or destruction, as well as to reasonably assure the confidentiality, integrity, availability, and authenticity of information. Reasonable measures shall also be taken to reasonably assure availability, integrity, and utility of information systems and the supporting infrastructure in order to protect the productivity of members of the RIT community, in pursuit of the RIT mission.

Information safeguards are administrative, technical, and physical controls that support the confidentiality, integrity, availability, and authenticity of information. Information systems and supporting infrastructure consists of information in its analog and digital forms and the software, network, computers, tokens, and storage devices that support the use of information.

Controls depend on the system, its capabilities and expected usage, and anticipated threats against the information.

• Preventive controls include use of encryption, information integrity measures, security configuration, media reuse, use of antivirus, and physical protection.

• Detective controls include network and information access monitoring, and intrusion detection (host-based or network-based), manual or automated review of security logs.

• Corrective controls include recovery plans for handling isolated information safeguard failure incidents to business continuity plans.

RIT will take reasonable steps to:

1. 1

   Designate one or more individuals to identify and assess risks to non-public or business-critical information within RIT and establish a university-wide information security plan.

2. 2

   Develop, publish, maintain, and enforce standards for life-cycle protection of RIT information systems and supporting infrastructure in the areas of networking, computing, storage, human or device/application authentication, human or device/application access control, incident response, applications or information portals, electronic messaging, and encryption.

3. 3

   Develop, publish, maintain, and enforce standards for RIT workforce security related to the irresponsible use of information.

4. 4

   Provide training to authorized university users in the responsible use of information, applications, information systems, networks, and computing devices.

5. 5

   Develop, publish, maintain and enforce standards to guide RIT business associates and outsources partners in meeting RIT standards of lifecycle protection when handling RIT information or supporting RIT information systems and supporting infrastructure.

6. 6

   Encourage the exchange of information security knowledge, including threats, risks, countermeasures, controls, and best practices both within and outside the university.

7. 7

   Periodically evaluate the effectiveness of information security control in technology and process.

Appendix E

RIT acceptable use policy

Policy name: Code Of Conduct For Computer and network use (C8.2)

I. Introduction

The computing, network, and information resources of RIT are intended to support the mission of teaching, scholarly activity, and service for the University’s students, faculty and staff. Appropriate use of computing and networking facilities by members of RIT’s academic community should always reflect academic honesty and good judgment in the utilization of shared resources, and observe the ethical and legal guidelines of society. This document constitutes RIT’s policy for the proper use of all computing and network resources.

RIT’s computer and network facilities provide access to a wide variety of on and off campus resources. This privilege of access requires individual users to act in an ethical manner and as a result imposes certain responsibilities and obligations. It is the responsibility of every user to respect the rights, privacy, and intellectual property of others, and abide by all local, state, and federal laws and regulations.

This document outlines the user privileges and responsibilities as well as the guidelines and procedures for the responsible use of the RIT computer systems and networks. It is intended to allow for the proper use and management of these facilities, provide protection of users’ rights, ensure reasonable access, and provide guidelines for accountability. It applies not only to RIT computers and networks, but also to computers attached to RIT’s networks in any way.

II. Definitions

To avoid ambiguity, the following definitions are supplied:

• A. User – Anyone who uses computing or network facilities.

• B. Authorized University User – Anyone who has followed account application procedures and has been granted access to any or all of the computing or network resources of RIT for reasons consistent with the mission of the university, and consistent with this policy.

• C. University Computing Resources – Any computing, network, or software system donated to or purchased by the University or by a grant that is resident at the University.

• D. University Network – The network of the University comprising the physical components such as cable, switches, telecommunications equipment, wireless hubs, routers, Virtual Private Network (VPN) concentrators, dial-up access points, as well as the Internet and Internet2 connection points. The University network also has logical components such as IP addresses, directory services, routing, and connectivity to computing resources.

• E. University Network Connections – Any computer or device using an Internet address assigned to RIT or that is connected to a physical or wireless access point is considered to be connected to the University network.

• F. Personal Computing Resources – Personal resources such as PCs, networking equipment, and so on, which have been purchased and are owned by an Authorized University User and are connected to the University network.

• G. Special Access – Access to resources on a system that could be used to alter the behavior of the system, or to access accounts on the system. Examples are UNIX ‘root’ or Windows ‘Administrator.’

• H. System Owner – The person with the authority to designate or use special access account privileges.

• I. System or Network Administrator – The person responsible for maintaining the authentication used by the system or network, controlling authorized use, and maintaining system and network integrity and audit trails.

• J. Secure Systems – Any hardware or software system whose use is restricted to a subset of the community of legitimate RIT users.

III. Relationship to other university policies

A. University Policies – Many issues addressed in this Code of Conduct relate to existing University policies, including (but not limited to) the University’s policies on privacy, intellectual property, and prohibition of discrimination and harassment (found elsewhere in this Manual). This Code is intended to supplement and clarify the guidelines laid out in those policies as they apply to use of computer systems and electronic resources, not to supersede them.

B. Other Computer Use Policies – Campus units that operate their own computers or networks are encouraged to add, with the approval of the unit administrator, additional guidelines that supplement, but do not lessen, the intent of this policy or other University policies. In such cases, the unit administrator will inform users within the unit and will provide a copy of the unit-level policy to the Chief Information Officer and to the Information Security Officer.

IV. User privileges and responsibilities

A. Privacy – The University’s ‘Privacy Policy’ (C7.0) recognizes that ‘Individual privacy and security are highly valued by our society,’ but ‘must be balanced by the other community enumerated values and needs.’ Within this understanding, the RIT community is assured that the privacy of such ‘personal property’ as ‘written communications intended by their creator to be private including those transmitted or preserved in paper, electronic, or other media’ will be protected, although it cannot be completely guaranteed.

The ‘Privacy Policy’ also recognizes that members of the RIT community have a responsibility to cooperate with authorized searches and seizures in emergencies and in circumstances of probable cause. In such instances, including those involving RIT computer and network use, the search and/or seizure of personal property or personal communications will be executed only on the authorization of an official identified in the ‘Privacy Policy.’ Cooperation with the search or seizure of one’s personal property or personal communication does not of itself imply one’s own misuse or abuse of RIT computers or network; the search or seizure may be deemed necessary because of misuse or abuse elsewhere in the RIT system or in systems to which the RIT system is connected or affiliated. For example, scanning and pattern matching of incoming or outgoing e-mail may be necessary to remove computer viruses, to locate the sources of spam, or to respond to legitimate internal or external requests for investigation. In all instances of investigation into personal computing and network use, individuals are protected to the extent possible by the provisions of the ‘Privacy Policy.’

B. Freedom from Harassment – The RIT ‘Policy Prohibiting Discrimination and Harassment’ (C6.0) defines ‘harassment’ as unwelcome ‘conduct, communication, or physical contact’ which has the effect of either ‘unreasonably interfering with’ another’s work, activities, or participation, or of ‘creating an intimidating, hostile or abusive environment’ for a RIT employee or student. Members of the RIT community are assured that electronic communications that appear to have one or more of these effects are prohibited and will be investigated. This prohibition includes all obscene, defamatory, threatening, or otherwise harassing messages.

Correspondingly, members of the RIT community have the obligation not to use the RIT computing systems and network in such a way as to be reasonably judged to produce one or another of the above effects, whether intentionally or unintentionally. Such alleged or real misuse is covered by the provisions of this Code of Conduct as well as by the ‘Policy Prohibiting Discrimination and Harassment’ (C6.0).

C. Intellectual Property – The RIT policy on ‘Intellectual Property’ (C3.0) deals in a detailed and exhaustive way with the rights of RIT employees as creators and owners of intellectual property. The privilege of creating and owning intellectual property as outlined in that policy is fully recognized by this Code of Conduct.

However, where a violation of the ‘Intellectual Property Policy,’ or of the intellectual property rights of creators or owners beyond the RIT campus, is alleged to have occurred through student or employee misuse of the RIT computing systems and network, such alleged misuse will be investigated and, if proved, sanctioned.

For example, RIT users must not distribute copyrighted or proprietary material without written consent of the copyright holder, nor violate US copyright or patent laws concerning computer software, documentation, or other tangible assets. Users should assume that any software or other electronic materials or media are copyright protected, unless the author(s) explicitly states otherwise.

D. Freedom of Expression – In general, all members of the RIT community–students and employees alike – enjoy freedom of expression in the normal course of their activity.

This freedom is both assured by numerous University policies and constrained by specific provisions of certain RIT policies, such as those noted herein (C3.0, C6.0, C7.0, and C10.0) as well as by specific provisions of this Code of Conduct. The constraints are, as in civil law, imposed only for the sake of the common good and the rights of individuals. Consequently, members of the RIT community have the responsibility to use RIT’s electronic resources in ways that respect the rights of others and permit our common electronic resources to be equitably shared. Since free and civil discourse is at the heart of a university community, users should communicate in a manner that advances the cause of learning and mutual understanding.

RIT reserves the right to restrict or deny access to its computing resources to those whose use of them is not consonant with the mission of the university.

V. Responsible use of resources

In exchange for the privileges associated with membership in the RIT computing community, users assume the responsibility to use the community’s resources in a responsible and professional manner. The following paragraphs (A–G) highlight a non-exhaustive list of specific responsibilities. Questions about the appropriateness of any use of resources should be directed to the staff of the Division of Information and Technology Services or to the systems personnel responsible for the resource in question.

A. Access to secure systems

1. 1

   Passwords and similar authorization information – Passwords are the primary way in which users are authenticated and allowed to use the community’s computing resources. One should not disclose one’s password(s) to any individual, including a faculty or staff member, unless the person is a properly authorized system administrator performing account maintenance activities for which the password is required. Similarly, one should not disclose other identifying information (e.g., PIN numbers) used to access specific system information. Authorized users are held accountable for violations of this Code of Conduct involving their accounts.

2. 2

   Unauthorized use of resources – One must not allow others to make use of one’s account(s) or network access privileges to gain access to resources to which they would otherwise be denied.

3. 3

   Circumventing or compromising security – Users must not utilize any hardware or software in an attempt to compromise the security of any other system, whether internal or external to the RIT systems and network. Examples of prohibited activities include (but are not limited to) Trojan horses, password crackers, port security probes, network snoopers, IP spoofing, and the launching or knowing transmission of viruses or worms.

B. Self-Protection – Any member of the RIT community who attaches a computer to the RIT network must take measures to ensure that the computer is protected against compromise by an internal or external attack. In this context, reasonable measures include the installation and maintenance of virus detection and eradication software, care in opening e-mail message attachments, vigilance when visiting Websites and adhering to published system configuration and management standards.

C. Commercial Activity – No member of the RIT community may use a RIT computing account or any communications equipment that is owned or maintained by RIT to run a business or commercial service or to advertise for a commercial organization or endeavor. Use of RIT’s computer systems and networks for the personal promotion of commercial goods or services is strictly prohibited. RIT employees who are engaged in professional consulting for-a-fee relationships may use RIT’s computing and network resources to correspond with existing clients, but not to advertise or promote their consulting practice.

D. Personal Use of RIT Resources – In general, the use of RIT’s computing and network resources to promote commercially-related activities or events that have no direct relationship to RIT’s mission is not permitted. Occasional personal use of these resources, for example, to promote a single fund-raising event or activity, to sell a used item within the RIT community, or to offer RIT colleagues the opportunity to rent a house may be permitted at the tacit discretion of the Chief Information Officer.

E. Communication with Government Officials – E-mail communications with government officials must abide by RIT’s guidelines for political activities as outlined in policy C10.0. Individuals wishing to address a legislative issue on behalf of the university should consult with the Office of Government and Community Relations before sending such communications using RIT’s network.

F. Harmful Activities – One must not use one’s privileges as a member of the RIT computing community to cause harm to any individual or to harm any software or hardware system, whether internal or external to RIT. Examples of harmful activities, in addition to those noted elsewhere in this Code, include:

1. 1

   Intentional damage

   • ° Disabling others’ computers

   • ° Compromising security

   • ° Disabling or corrupting software systems

   • ° Destroying, altering, or compromising data integrity (e.g., student records, personnel information, etc.)

2. 2

   E-mail spamming

3. 3

   Threatening or intimidating e-mail, newsgroup postings, or web sites.

4. 4

   Denial of service attacks (e.g., making it difficult or impossible for others to use the network).

G. Illegal Activities – For the protection of the RIT computing community as a whole, it is imperative that all members refrain from any conduct that is illegal. Illegal activities that are prohibited include (but are not limited to):

1. 1

   Copyright infringement, including publishing copyrighted material such as papers, software, music, musical scores, movies, and artistic works. It is irrelevant whether or not any profit is made from such distribution; the mere fact of providing uncontrolled access to such material is illegal.

2. 2

   Divulging information that is confidential or proprietary information.

3. 3

   Misrepresentation of one’s identity to gain access to systems, software, or other services to which one does not have authorized access.

Appendix F

RIT information classifications

Private – a classification for information that is confidential which could be used for identity theft and has additional requirements associated with its protection. Private information includes:

• Social Security Numbers (SSNs), Taxpayer Identification Number (TIN), or other national identification number

• Driver’s license numbers

• Financial account information (bank account numbers (including checks), credit or debit card numbers, account numbers)

Confidential – a classification for information that is restricted on a need to know basis, that, because of legal, contractual, ethical, or other constraints, may not be accessed or communicated without specific authorization. Confidential information includes:

• Educational records governed by the Family Educational Rights & Privacy Act (FERPA) that are not defined as directory information

• University Identification Numbers (UIDs)

• Employee and student health information as defined by Health Insurance Portability and Accountability Act (HIPAA)

• Alumni and donor information

• Employee personnel records

• Employee personal information including: home address and telephone number; personal e-mail addresses, usernames, or passwords; and parent’s surname before marriage

• Management information, including communications or records of the Board of Trustees and senior administrators, designated as confidential

• Faculty research or writing before publication or during the intellectual property protection process.

• Third party information that RIT has agreed to hold confidential under a contract

Internal – a classification for information restricted to RIT faculty, staff, students, alumni, contractors, volunteers, and business associates for the conduct of University business. Examples include online building floor plans, specific library collections, etc.

Public – a classification for information that may be accessed or communicated by anyone without restriction.