Annette Evans is the Information Security Officer (ISO) for UTSA. She was hired in 1982 as a systems analyst. She has held several positions since then--Manager, Administrative Computing;
Director, Administrative Computing; and Director, Strategic Planning and Information Security and now serves as ISO.

What are your responsibilities as the Information Security Officer at UTSA?

I am responsible and accountable for information security for all centrally maintained and distributed systems and computer equipment.  My duties include protecting the information, making sure there are no changes made to it, and that privileges are not abused. My staff handles all sorts of hacking incidents.  We frequently are called in to do forensic work. This occurs when there is suspected criminal activity or legal issues.   In these instances, we secure the electronic evidence.  Overall, my job is to maintain protection and assurance of all electronic information. 

What do you see as UTSA’s biggest challenge in information security?

We are constantly trying to maintain a balance between access and security.  We want our customers to have maximum utilization of every operating system, application, and equipment they choose to install.  This creates increasing security challenges across the tri-campus community.  There is also a high level of compliance issues that we must address.  The internet has made us more vulnerable than in the time of the mainframe computer.  Compliance professionals have tried to minimize the risks, but there has been and continues to be a tremendous amount of change occurring at a rapid pace.

What is E-Discovery and how has it impacted UTSA?

In December of 2006, several amendments to the Federal Rules of Civil Procedures clearly spelled out how organizations are expected to preserve or save electronically stored information, also called ESI, which may be required for litigation, or going to be litigation.  Simply stated, you must freeze all electronic data in your environment that has to do with that specific litigation.  For example, an employee is demoted or fired.  You may suspect from past behavior, the individual is going to go to sue the university. At the point at which the legal staff feels this is a strong possibility Information Technology (IT) staff is required to recover all ESI that the individual has ever used – including all of their emails as well as ESIs generated by any supervisors.  The IT staff has to freeze the electronic information in such a way that no one can accuse UTSA of having tampered with the data.  Each case that the IT department has been involved in thus far has included 15-20 people.  The retrieval of electronic data occurs for not only the person litigating, but everyone involved.  We had to find a way to do that so it will be acceptable in court and to preserve the data over time. It terms of impact to UTSA, this is costly and will  impact the employees who really aren’t used to having their personal data reviewed by third parties.  

What are some things that the information security department has done to help protect electronic data in campus computers?

We had the campaign for Social Security Numbers (SSNs) protection which included encryption for laptops.  Over the past several years, we have improved our ability to watch traffic. We have also purchased software that allows us to better determine certain types of problems within a computer.  This past October, which was Cyber Security Awareness Month, we conducted a series of workshops and lectures to enhance information security awareness.  Also, UT System’s IT department is able to monitor our incoming and outgoing traffic.  When a SSN is found, our IT department is notified and a detailed e-mail is sent to us. It gets captured in any format. 

Networking with other IT professionals has also been a benefit.  I lead a group called InfoSec that started six years ago. We meet four times a year. This group includes all the Information Security Officers and Technicians from the UT System.  We have a two day program that concentrates on the latest issues and products within IT.  It has been very valuable in helping us become proactive in information security issues.

How do you keep current since information technology is such a dynamic and fast-paced field?

I stay up-to-date by reading, attending training and having my staff attend training to stay current.  My staff and I are big researchers, so we are constantly on the internet looking for the latest issues and solutions. We also receive daily warnings from various state or national organizations about the next thing that is coming out. We even hire outside consultants to test the network for vulnerabilities. And that is an excellent piece of assurance. 

Why has information security become such a high priority for UT System’s administration – what is the driving force behind this initiative?  Being that we recently combined three BPMs (SSNs, Digital Research, Resources Use & Security)

Yes, there have been serious breaches at several universities. The UT Austin McCombs School of Business suffered such a breach of their data.  But the issue is much broader.  We were looking at the best way to provide security for all of the types of electronic data that we use—student data, HIPAA, employee records, personal data, etc.—the list is long.  Some of this data is required because of various mandates-legal as well as other compliance requirements.  But there is also the issue of protecting research data as well as making certain that confidential data is not inappropriately breached. 

Most people are not even aware of the rules regarding what type of computer software and hardware cannot be taken out of the country!
The intent of these new information security initiatives is to streamline our processes and better define the issues as well as provide better information to the University community.