May 12, 2005

Q & A: David Kovarik

Back to Front Page E-mail to a Friend Printable Version

Director of Information and Systems Security/Compliance discusses hackers, the essentials of passwords and why every computer linked to the Northwestern network is a security priority

Information Technology (IT) formalized its new office of Information and Systems Security/Compliance last year by hiring David Kovarik as director. Kovarik came to Northwestern with 22 years of information security experience.

Kovarik’s newly formed division of IT is charged with three primary responsibilities: information security, disaster recovery within the IT organization, and legislative compliance. Kovarik says his mission is straightforward: enabling the University to do business in a secure manner and maintaining the delicate balance between service and security.

Recent reports indicate a string of information security breaches at major U.S. universities, including the Kellogg School of Management, which suffered a hacking incident last month.

Is there a lesson from the hacking incident at Kellogg?

It emphasizes the importance of adhering to University policy and industry-recommended security standards. Passwords are especially important. We stress strong “pass phrases” to protect your identity and the resources that you have access to. For passwords, longer is better. Use special characters and avoid dictionary words or things that are personal and may be common knowledge about you: no birthdays and no pets’ names. We could avoid a lot of problems if we protect our passwords the way we protect the PIN for our ATM card.

Anything that heightens awareness is to our benefit. What we need to do is take those events and say, “What does it really mean to me as an individual?” Understanding that your identity has significant value is the starting point — identities are the currency of the hacker world.

Some people don’t think they have sensitive information on their computers. So why should Northwestern users care about security?

Your laptop or desktop is the mechanism that you use to access the Northwestern network. Therefore, any compromise of your machine is potentially a compromise of our network. If you look at your NetID, it really is the key you use to access all the many valuable resources that are made available by the University. So while you may not store sensitive or personal information on your PC, the resources that are made available to you are certainly of high value and should be protected with good security. Keep your antivirus and other software up to date, keep up with system patches, use the firewall feature of your operating system and make sure your computer password is as strong as — optimally stronger than — your NetID password.

What  is one security initiative your group is working on?

As far as information security goes, communication is essential. When you look at the depth and breadth of the University, it’s simply not possible for us to address this with [a staff of] three people. One of our biggest projects is building formalized networks of everyone within the University who have information security and disaster recovery functions. We have to make sure we’re exchanging information at the same rate and the same depth that the hacker community is, because that’s really our major competition.

You’re also charged with ensuring Northwestern complies with federal regulations and policies. Can you describe a relevant policy and how are you coordinating compliance?

The policy that comes to mind immediately is the Health Insurance Portability and Accountability Act. One clause went into effect April 21, addressing access controls that must be in place to protect the personally identifiable information about individuals, their medical conditions and even their insurance premiums.

For example, at the department of communication sciences and disorders, where they see patients, personal information is subject to additional security and scrutiny.

Some aspects of physical security must also be addressed, like making sure terminal displays that show health information are not visible to the public. People should not be able to see screens from the lobby or through your office window.

Your last job was at a large banking corporation. How does financial information security relate to your charge here, where the capital is often intellectual?

Working in financial institutions, what we were protecting wasn’t really the hard currency, but information about the corporate organization. It’s really not much different here. I think once you understand that information has value and that there are people who would like to acquire it in ways that are not necessarily appropriate, the job is essentially the same: we still have to provide a a secure infrastructure.

The major difference is that, for the most part, financial institutions operate on the basis of conservatism — most of the data is held closely. The University is a slightly different environment — most of the data is freely available, and we have to decide what information we need to protect.

Overall, I think the experience that I have had with financial institutions will serve me well and benefit Northwestern. As I said before, we’re here so the University can conduct its business in a secure manner.

 — Dan Frommer

Back to Front Page E-mail to a Friend Printable Version
   
Northwestern University University Relations Home | Media Relations | Northwestern magazine | Observer online
Publications | Web Communications | Site Map
Northwestern Home | Calendar: Plan-It Purple | Sites A-Z | Search
Media Relations  555 Clark Street  Evanston, IL 60208-1230
Phone: 847-491-5001  Fax: 847-491-2376  E-mail: observer@northwestern.edu
Last updated 05/11/2005  World Wide Web Disclaimer and University Policy Statements
© 2004 Northwestern University