One Step Ahead: Almanac Security Tips - 2013

Table of Contents (view all)

Spring Cleaning Your Office? Know What to Do with E-Waste
Keep Your Identity Safe When Filing Taxes This Year
Why use Penn+Box when Storing Data in the Cloud
Mobile Device Security - 3 Recommendations for Cloud Users (Hint: That's You!)
Be Aware of QR Code Risks
It’s Data Privacy Month: Update Your Facebook Privacy Settings and More
How Are You Celebrating Data Privacy Month?
Stay Secure while Working on Public Wi-Fi Networks
Protecting Your Finances During This Year's Holiday Shopping Season
Cloud and You
Security and Privacy Online Training & Tools
October: Free Secure Disposal of Paper and Electronics at Employee Resource Fair; NCSAM
Student Privacy - What Do I Need To Know? A FERPA Reminder
Top 10 Tips for Securing Your Smartphone or Tablet
Working Off Campus? Some Tips to Consider

Whats popular?

Tagged with SSNs , privacy

Tuesday, April 15, 2008 - Almanac Vol. 54, No. 29

SSN Policy Reminder–Comply, or Have Compliance Plan, by May 1, 2008

As you may recall, Penn’s Social Security Number Policy was announced in the Almanac last fall. See www.upenn.edu/almanac/volumes/v54/n16/sspolicy.html.

The policy establishes expectations around the use of Social Security numbers—sensitive data whose misuse poses privacy risks to individuals, and compliance and reputational risks to the University. The policy calls on staff, faculty, contractors, and their respective agents to inventory their online and offline Social Security numbers and reduce the above risks by, in priority order: (1) eliminating this data altogether, (2) converting it to PennID, (3) truncating the data to capture and display only the last four digits, (4) when the complete SSN is clearly necessary, ensuring strict security controls to protect the full data.

In specified circumstances the policy requires that complete SSNs be encrypted at rest (that is, while the data is residing on a hard drive or storage device) and/or in transmission (while the data is in transit from one database to another). Note that the encryption “at rest” requirements in the policy apply within 3 months of such technology and service being recommended and supported at Penn. This recommendation is expected in the near future.

Compliance with the SSN policy is to be achieved or, in the alternative, a plan to achieve compliance within a reasonable timeframe is to be developed, no later than May 1, 2008, as stated in the policy.

(Note that compliance plans need not be submitted; they should be stored/filed securely, however, since they may contain sensitive information.) Since this deadline is fast approaching:

• Are you inventorying your online and offline SSNs?
• For identified SSN data, are you eliminating, converting, truncating or securing the SSNs, in keeping with the policy?
• If these steps will not be completed prior to the May 1, 2008 deadline, are you developing a plan (that will be written by May 1) to achieve compliance within a reasonable timeframe?

Users of personal computing devices may contact their Local Security Liaison for assistance in complying with the SSN policy or developing a compliance plan. Contact security@isc.upenn.edu for further information.