SecurePurdue is a major initiative focused on improving the security of data and campus IT resources on all Purdue campuses. The goals of SecurePurdue are to:
- Create ongoing, dynamic plans to protect the University and its constituents' information, while ensuring the privacy and confidentiality of this information.
- Increase a "defense in-depth" approach to information security across all campuses.
- Enhance our methods of protection, detection, and defense.
- Assure confidentiality, privacy, integrity, and availability of data and systems while not unnecessarily hindering learning, discovery, research, or communication.
Although Purdue has a central IT organization in ITaP, there are many other academic and business unit IT organizations as well. In all, there are 34 separate IT groups on the West Lafayette campus alone. SecurePurdue will coordinate IT security efforts across all Purdue campuses and help set University-wide priorities. A security officers group has been created with one representative from each of the IT units, and this group will serve as an advisory group for SecurePurdue.
Strategic guidance for the SecurePurdue program comes from Purdue's IT Strategic Governance Committee. SecurePurdue activities span the University and are coordinated by the Chief Information Security Officer, ITaP Security and Policy, the Security Officer's Working Group, and the University's Data Stewards organization.
SecurePurdue will have four components: technology; policy and procedures; remediation; and training and awareness.
Technology: Purdue will be updating the tools it uses to defend against illegal computing activities, and making greater use of technologies such as more robust intrusion detection, firewalls, and vulnerability scanning tools.
Policy and procedures: To implement many of the most up-to-date security technologies, Purdue policies on the use of computing resources will have to be modified or new policies and procedures created. Other policies are simply out-of-date in today's IT world. Additionally, because of the concern about computer security, many new laws and regulations are being affecting data protection, and these may also result in a change of Purdue policies.
Remediation: There are many types of private information at the University, and protecting and authorizing access to this data also will be a part of the SecurePurdue mission. Although this restricted data takes many forms, one of the most familiar pieces of restricted data is an individual's Social Security number. Like other universities, for decades Purdue has relied on the nine-digit Social Security number, or SSN (000-00-0000) to identify individuals. However, now Purdue is replacing this number with a ten-digit PUID (00000-00000) wherever possible.
Training and awareness: SecurePurdue will affect each member of the Purdue community, and resources will be available to help everyone understand and implement the changes. This Web site serves as a clearinghouse for information and resources on computer security and issues related to the four components of SecurePurdue. Training on security issues will be offered as part of the program. This training will include documentation, videos, and courses on both technical and non-technical subjects.
Purdue University Information Security Compliance Programs
The Purdue University Information Security Program coordinates a number of information security compliance activities.
- Ensure the security and confidentiality of customer information in compliance with applicable GLBA rules as published by the Federal Trade Commission.
- Provide administrative, physical, and technical safeguards to ensure compliance with the HIPAA Security Rule.
- Provide oversight to ensure compliance with the Fair and Accurate Credit Transaction Act of 2003 (FACTA) for identity theft Red Flags.
- Safeguard against anticipated threats to the security or integrity of protected electronic data.
- Guard against unauthorized access to or use of protected data that could result in harm or inconvenience to any customer.