In all of Greg Loge's years as a computer user at ºÙºÙÊÓƵ — as an undergraduate, as a graduate student and as an information technology administrator — he has kept his personal identifying information safe and secure from hackers.
He aims to keep it that way for himself and the university's entire computer network, as ºÙºÙÊÓƵ' first IT auditor, responsible for ensuring compliance with the university's 3-year-old Cyber-Safety Program.
That does not mean Loge is planning to visit each and every employee's workstation. After all, at this time, he is a department of one.
Instead, he will be auditing 21 major university units that are required to submit compliance reports annually. His mission is to ensure that within each of these units, IT personnel are preparing their reports properly and accurately.
"I'm looking to see how colleges and schools and administrative units, including the ºÙºÙÊÓƵ Health System, are adhering to the standards we established in 2005," Loge said.
The Cyber-Safety Program comprises 16 standards dealing with topics that range from software patches, firewalls and the safeguarding of personal information, to Web application security, e-mail relays, and backup and recovery systems.
Loge completed his undergraduate degree at ºÙºÙÊÓƵ in 2000, earning a bachelor of science in managerial economics. He went to work that same year for the College of Agricultural and Environmental Sciences, eventually becoming its IT director.
At the same time, he attended the Graduate School of Management, and he earned his MBA in 2005. He then left campus to work in the private sector before returning to ºÙºÙÊÓƵ in 2006 as chief IT officer for the College of Biological Sciences.
Loge started his new position Feb. 1 — and it is important to note that he is attached to Internal Audit Services. This means that he works independently of the units that he is auditing; his reports go to the provost and the UC Office of the President.
"This is a very important element," said Bob Ono, security coordinator for Informational and Educational Technology, which is paying for a portion of Loge's position for two years — even though the position is outside IET. "This arrangement gives us an independent perspective."
The concept of hiring an IT auditor originated in the university's academic and administrative units, Ono explained. All of them complete surveys annually, in regard to cyber-safety practices, "but without the audits, there is no check on the accuracy," he said.
The units, therefore, see the new audit process as strengthening the Cyber-Safety Program and the security of university systems and data, Ono said.
The security of personal information is paramount, as evidenced by an incident last June when someone gained access to the personal information of an estimated 1,120 applicants to the School of Veterinary Medicine for the 2007-08 school year. The information included names, birth dates and, in most cases, Social Security numbers.
Part of Loge's mission is to ensure that schools, colleges and administrative units, and their subunits, are taking proper care of such personal information.
For example, the university provides scanning software that can find Social Security numbers saved on computers, Loge said. Academic and administrative units should be scanning for this information, and removing it from systems where it is not needed.
"If it cannot be removed, because it is used in the course of university business, then units need to have plans in place to keep the information secure," he said.
Ono emphasized that IT auditing is not simply another layer of bureaucracy. "We want to demonstrate that we are good custodians of personal information," he said.
Identity theft is only one area of concern, Loge said. "Hacking can compromise research data, and can disrupt systems to the point where people cannot do their jobs."
Sometimes, cyber-safety can be as simple as installing software updates and patches in a timely manner, as required by the Cyber-Safety Program, and Loge will be checking for this.
More complicated issues center on firewalls, which regulate Internet traffic in and out of computer systems; and the security of information that people enter onto various Web forms.
"I'm not looking to find out what Web sites people have visited," he said, "only to make sure we are doing all we can to keep our data secure."
As he carries out his audits, Loge said he will gauge the effectiveness of the Cyber-Safety Program, raise awareness of its importance, and identify best practices that can be shared throughout the university.
"People should see this as a good thing," he said. "We will be providing feedback to upper management about risks in our network."
Media Resources
Clifton B. Parker, Dateline, (530) 752-1932, cparker@ucdavis.edu