By Ed Hayward | Chronicle Staff

Published: Oct. 18, 2012

Like any large business or institution built around people, Boston College is an information security minefield.

From grade books to data spreadsheets, face-to-face conversations to Internet-based file storage, a range of examples highlights the need to properly manage protected personal, institutional and academic information.

To ensure this information remains protected, the Office of Information Technology Services this month kicks off the Information Security Awareness Initiative to help faculty, staff and students ensure University information is shielded from a range of threats – from predatory Internet hacks to simple human error.

“Information security isn’t just an IT issue, it’s a University responsibility that everyone must take seriously,” said Michael Bourque, vice president for Information Technology Services. “We have staff and services available to help Boston College employees, faculty and students, but we’re also asking everyone to make a personal commitment to information security.”

The initiative will include periodic information sessions, monthly “security contests” offering prizes to faculty and staff, and a campaign kick-off contest where any faculty, student or staff member who changes their BC password will automatically be entered to win an iPad. Full information about upcoming events can be found at the initiative website www.bc.edu/security.

The initiative is an outgrowth of the work undertaken by the University’s Data Security Working Group, which spent the past year analyzing Boston College’s information protection practices and potential weaknesses, according to Mary Corcoran, the associate vice president for Information Security Assurance, the cornerstone of the University’s safe computing efforts.

The Data Security Working Group found a need to increase security awareness because potentially sensitive information exists in many areas across campus, and is under users’ control — and as such the people working with the information should be informed of proper data management practices.

“Throughout the campaign, we’ll be reminding people to pay special attention to sensitive information they possess to ensure it is not accidentally or inadvertently made accessible,” said Corcoran. “This could be a case of confidential documents left in an unlocked drawer or a phone conversation about a private matter that others can overhear. We don’t want any potential scenario to be taken for granted.”

The University takes a number of steps to ensure the appropriate management of confidential data and information, including mandatory web-based security tutorials for employees and user-initiated computer scans that look for files containing private information, such as Social Security or credit card numbers. Institutional policies address the protection of personal and research data.

In the coming months, the initiative will focus on a range of topics, including:

•Maintaining an inventory of stored data
•Information and data safety while traveling
•Ensuring cell phone, tablet and laptop security using passwords and autolock features
•Avoiding personally targeted attempts to gain information, also known as “spear phishing”
•“Stop. Think. Connect.” practices to ensure online security.
•Choosing external applications carefully, consulting with a data security officer or University IT about vendor reputation and product reliability.


An expanding selection of devices are now used to access BC data via the Internet, and many new types of portable data storage tools – from USB thumb drives to pocket-sized backup drives to “cloud”-based storage services – each present unique security challenges, said David Escalante, director of IT Policy and Security.

“Individuals now access e-mail, desktops and stored files from their cell phones, tablet computers, laptops and home desktops,” said Escalante. “Whether personal or University property, each device is another platform where security is crucial. Everyone needs to be vigilant and follow best practices as they access sensitive information, regardless of whether they’re on campus or off campus, on a computer or on their smart phone.”

Bourque said most people have a sophisticated sense of security when it comes to protecting their own personal information, either in hard copy or online. The goal is to expand that vigilance to the workplace.

“People have become much more aware of information security on a personal level, given the attention that’s been paid to identity theft,” said Bourque. “It is a logical step to take very similar precautions in the workplace. Information Technology Services offers a range of resources to assist in the careful stewardship of the information we bear the responsibility of protecting.”