| |
Standards for Securing Private and Regulated Information 1 Such
as SSNs and Credit/Debit Card Numbers: Access, Handling, Usage, Transmission, Storage, Disposal, Application Development
(Updated 04.28.06)
Introduction
University at Buffalo has legal and ethical obligations to ensure that
private (and legally protected) information such as the SSN is secured
in a manner that minimizes risk of unauthorized or inappropriate use or
disclosure.
"Private and regulated information" is defined here as
(1) Social Security number, (2) driver's license number
or non-driver identification number, or (3) credit
or debit card number, financial account number.
University Data Custodians and Data Trustees are tasked with
understanding and applying the legal and ethical restrictions associated with
data in their functional areas, as well as ensuring that proper procedures
are in place to meet these requirements. Department managers, including Deans,
Directors, Chairs, and other Managers, need to work in conjunction with Data
Trustees to ensure that their processes adhere to data usage, handling, and
security standards and policies. And --all employees with access to SSNs need to
follow security standards and guidelines for handling legally-protected and
sensitive data.
Specific areas of concern with respect to how sensitive institutional
information is handled by all university personnel are the following:
-
Ensuring that employees with access to private information (as defined above) are aware of the legal and
ethical issues associated with SSNs, credit/debit card numbers, and other protected data
-
Ensuring appropriate security protections are in place for private information
and that standards are followed regarding access, use,
storage, disposal, and release of protected data such as SSNs
-
Ensuring that private information and protected data are transmitted securely (For example, SSNs are
not transmitted in clear text via email or via insecure file transfer.)
-
Ensuring that legally protected, private "data at rest" (private stored data) are encrypted unless the data have been transmitted to a secure network, as determined by
the campus Information Security Officer.
-
Ensuring that
secure
computer systems
(http://www.itpolicies.buffalo.edu/NetworkConnectedDevices) and data storage
are used to store and manipulate data
Traditionally, University at Buffalo, like many universities, has used the SSN
as an ID number and common key to University records and information
systems. Recognizing the increased concern over privacy and the risk of
identity theft, as well as to meet federal and state legal requirements, the
University is accelerating its efforts to protect the SSNs of the University
community by using the Person Number as ID number and common key, restricting
access to SSNs in institutional information, and providing guidelines for use
and handling of SSNs and other private information for those with access.
Protecting the Confidentiality of Private Information Including Social Security Numbers, Credit/Debit Card Numbers
Organizational units must develop and follow administrative, physical,
and technical procedures to protect the confidentiality of private information.
For additional specific information about the collection and use of SSNs, please
see the
Social
Security Number Policy.
Standards for handling regulated private information
follow.
Access
Access to private information is limited to those
who need to use the information in the performance of their job responsibilities. See
Requesting
Access to InfoSource Data Containing SSNs: Policy and
Procedures for information on
requesting access to SSNs in InfoSource.
Data
Trustees grant and revoke access, as well as monitor and review access to
private data such as SSNs in InfoSource.
-
Steps must be taken to maintain the privacy of the private information such as SSN. E.g, this includes
taking reasonable steps to remove SSNs from public view (on computer
displays and paper documents), to ensure that conversations concerning SSNs
are conducted as privately as possible, and that SSNs are physically secured
when not in use.
-
Strong
passwords should be set on computer systems used to access
sensitive data. Password screen savers, desktop locking, or logging off
systems should be employed when your computer system is unattended.
-
Desks and file cabinets containing private data such as SSNs should be locked when
unattended by an individual with access to the private data.
-
Laptops are inherently physically insecure since they can easily be stolen:
Unencrypted private data may not be stored on laptops. Cable locks are available
for securing laptop computers and act as a deterrent to theft. Special
care must be taken to protect laptops against theft in airports, hotels, and
other off-campus sites. Follow these
tips
for protecting your laptop on the road.
-
Servers containing SSN data should be housed in secure spaces with
appropriate system access controls to protect against unauthorized access,
and be
protected
against malicious software.
-
Removable media, such as flash or jump drives and CD/DVDs, may not be used
to store unencrypted SSN data.
Use
SSN data may only be used for the stated legal and/or business purpose
for which it was collected.
In addition, SSN data may not be
shared with others and may only be disclosed as authorized by law or with
specific consent from the individual from whom it was collected.
-
The SSN may only be used in a manner consistent with authorized access and
the duties and responsibilities of the position.
-
The SSN may not be provided to anyone without proper authorization.
You may not delegate your authorization/access to SSN data to anyone.
-
Copies of SSN data or records will not be made except as required in the
performance of duties.
-
SSN data for which there is no longer a business need will be destroyed or
disposed of securely. Please see Disposal guidelines below.
-
SSN data will not be used for any personal or commercial purposes.
-
Any unauthorized access to SSN data will be reported immediately to the
appropriate supervisor.
-
Unauthorized use of SSN data will result in the removal of access privileges
and could also result in appropriate administrative action, including, but
not limited to, disciplinary and/or legal action.
Transmission
Sending SSNs over the Internet or by email is prohibited unless it is
done in a secure environment, and steps must be taken to protect the
confidentiality of fax and paper transmissions containing
SSNs.
-
All electronic transactions and transmissions containing SSN must either
encrypt the confidential information or ensure that the connection is secure
(by use of industry standard security protocols, such as ssl, ssh, sftp).
Your
local
IT support provider can provide information on encryption and/or using
standard security protocols to transmit SSNs.
-
SSN should not be included in email text or attachments unless done in an
encrypted environment.
-
SSN should be removed from paper forms and faxes unless required by law or
determined to be necessary by the appropriate data trustee.
-
When SSN is exchanged on paper, steps must be taken so the number is not
revealed. For example, the SSN must not appear in an envelope window.
-
Fax transmission over telephone lines is secure if appropriate safeguards
exist when faxing SSN; that is, making sure the recipient's fax number is
correct and the fax is not left in an unsecured area. Fax
transmissions involving computer networks are not secure and should not
include SSN.
-
When it is determined that SSN must be shared with a third party, a written
agreement to protect the confidentiality of the SSN must be in place.
Storage
Units must actively work to remove SSN data from local electronic files,
databases, images, and paper documents. Any University office that collects and
maintains an individual's SSN must ensure that the SSN is stored in a secure and
confidential environment, eliminate use of the SSN for any purpose except that
for which it was collected, and follow the guidelines below for the disposal of
records containing the SSN. The objective is that private "data at rest",
i.e., "stored private data", should be encrypted unless it has been
transmitted to a secure network as vetted by the Information Security Officer.
-
As a general practice, SSNs may
not be stored on a local workstation
or laptop, or on a floppy disk, CD/DVD, PDA, USB flash drive, or other
portable storage device. Several recent information security incidents
at universities have involved the theft of such devices containing SSNs. If
storing SSN on such a device is absolutely necessary for legal or business
reasons, the information must be
encrypted and the device must be
physically secured.
-
Computer applications requiring the SSN must store the SSN on a secure
network server that is physically secure (in a secure environment), as well
as protected from unauthorized access and against malicious software.
Encryption of the data is advised to add another layer of security.
-
On-site Storage: Tapes, disks, backups, and other electronic storage devices
containing SSN must reside in secure physical locations.
-
Off-site Storage: Any electronic storage media containing SSNs taken
off-site must be protected by encryption.
-
Documents and forms containing SSN should be stored in a restricted access
area, such as secure cabinets or a locked desk, available on a limited
basis.
-
Anyone working with paper documents that contain SSNs must take steps to
protect the confidentiality of the information: desks and file cabinets
containing SSN data should be locked when unattended.
Disposal
As SSN is replaced by University Person Number as the common key and
eliminated from the routine course of business, units will need to follow
standards for secure disposal
-
Prior to recycling or disposal, desktop, laptop, and server disks containing
SSN must be physically destroyed or securely overwritten using the DOD 5220.22M standard for overwriting data to make it forensically unrecoverable. Your local
IT support provider can provide help with this.
-
Prior to disposal, steps must be taken to physically destroy or overwrite
the information on portable electronic storage devices, including USB
drives, disks, CD/DVDs, etc. containing SSNs.
-
Paper documents containing SSNs must be shredded locally or otherwise
disposed of securely.
Application Access Control
Access to business and systems applications must be restricted to those
individuals who have a business need to access the applications or systems
in the performance of their job responsibilities. Access to source code
for applications and systems must be restricted to those who have a
business need for access.
"Legacy" Data
The University recognizes that the SSN must be retained and used as a personal
identifier and common key in the older "legacy" data of former students and
employees who were members of the campus community before University person
numbers were available.
Compliance
An employee or student who has substantially breached the confidentiality of
Social Security Numbers, Credit Card Numbers, Driver's license numbers, or
other legally protected information will be subject to disciplinary action or
sanctions up to and including discharge and dismissal in accordance with
University policy and procedures.
Contacts
Please contact the IT Policy Officer in the Associate VP for Information
Technology Office if you have questions about this policy.
1
Private and regulated information includes Social Security numbers, credit/
debit card numbers, driver's license numbers, and non-driver identification
numbers. See the
NY State Information Security Breach Act.
|
|
|
|
Related Links
|
