|One Step Ahead
April 15, 2008, Volume 54, No. 29
Another tip in a series provided by the Offices of Information Systems & Computing and Audit, Compliance & Privacy.
SSN Policy Reminder–Comply, or Have Compliance Plan, by May 1, 2008
As you may recall, Penn’s Social Security Number Policy was announced in the Almanac last fall. See www.upenn.edu/almanac/volumes/v54/n16/sspolicy.html.
The policy establishes expectations around the use of Social Security numbers—sensitive data whose misuse poses privacy risks to individuals, and compliance and reputational risks to the University. The policy calls on staff, faculty, contractors, and their respective agents to inventory their online and offline Social Security numbers and reduce the above risks by, in priority order: (1) eliminating this data altogether, (2) converting it to PennID, (3) truncating the data to capture and display only the last four digits, (4) when the complete SSN is clearly necessary, ensuring strict security controls to protect the full data.
In specified circumstances the policy requires that complete SSNs be encrypted at rest (that is, while the data is residing on a hard drive or storage device) and/or in transmission (while the data is in transit from one database to another). Note that the encryption “at rest” requirements in the policy apply within 3 months of such technology and service being recommended and supported at Penn. This recommendation is expected in the near future.
Compliance with the SSN policy is to be achieved or, in the alternative, a plan to achieve compliance within a reasonable timeframe is to be developed, no later than May 1, 2008, as stated in the policy.
(Note that compliance plans need not be submitted; they should be stored/filed securely, however, since they may contain sensitive information.) Since this deadline is fast approaching:
• Are you inventorying your online and offline SSNs?
• For identified SSN data, are you eliminating, converting, truncating or securing the SSNs, in keeping with the policy?
• If these steps will not be completed prior to the May 1, 2008 deadline, are you developing a plan (that will be written by May 1) to achieve compliance within a reasonable timeframe?
Users of personal computing devices may contact their Local Security Liaison for assistance in complying with the SSN policy or developing a compliance plan. Contact firstname.lastname@example.org for further information.
To receive weekly OneStepAhead tips via email, send email to email@example.com with the following text in the body of the message: sub one-step-ahead <your name>.
For additional tips, see the One Step Ahead link on the Information Security website: www.upenn.edu/computing/security/.