SSN Privacy - PowerPoint PPT Presentation

1 / 17
About This Presentation
Title:

SSN Privacy

Description:

Resulted in OSU interim policy 'Disclosure or Exposure of Personal Information' ... Cover sheet for fax, redact if possible. Paper. Lock up with limited access ... – PowerPoint PPT presentation

Number of Views:144
Avg rating:3.0/5.0
Slides: 18
Provided by: kristin130
Category:
Tags: ssn | privacy | redact

less

Transcript and Presenter's Notes

Title: SSN Privacy


1
SSN Privacy Safeguarding
  • College of Food, Agricultural Environmental
    Sciences
  • Human Resource Professionals
  • April 12 2007

2
Agenda
  • Project Overview Update
  • Policy Concepts
  • Transition Steps
  • Related Projects
  • Best Practices
  • Contacts

3
Project Overview Update Why?
  • Legislation Policies
  • FERPA
  • House Bill 104 (ORC Section 1347) effective
    2/17/06
  • Requires notification to affected individuals for
    data exposure unless encryption used
  • Resulted in OSU interim policy Disclosure or
    Exposure of Personal Information (see
    http//cio.osu.edu/policies/disclosure.html)
  • Notify CIO at security_at_osu.edu or 247-2020 to
    report actual or potential data breaches
  • SSN Privacy Safeguarding policy
  • University leadership prefers to discontinue SSN
    use, where possible

4
Project Overview Update Why?
  • Identity theft
  • Federal Trade Commission
  • Reports 237 security breaches nationwide from
    February, 2005 to July, 2006 comprising 89
    million records. High education breaches was 83
    (35).
  • Estimates that 10 million people were victims of
    identity theft in 2005, with a total cost to
    victims, government and businesses of 55
    billion. Gartner survey indicates 15 million
    victims for 12 month period ending July, 2006
    average loss 3,257
  • Reports that the largest age group of identity
    theft victims is between 18 and 29 years of age.
    Second largest age group is 30-39 years.

5
Project Overview Update
  • Goals
  • Develop policy which encourages SSN
    discontinuation, appropriate use and protection
  • Educate community
  • Update
  • Collected SSN usage information through survey
  • 1300 submissions, 930 for identification purposes
    with
  • at least 25 unprotected
  • Formed advisory group subcommittee
  • Drafted policy procedures
  • Preparing educational materials

6
Policy Concepts
  • SSN Collection Retention
  • Requires pre-approval for each business process
  • Approval required from dean/vice president,
    business owner and Privacy Office
  • Annually renewed by June 30th
  • Lists legitimate activities
  • Requires distribution of privacy notice
  • Mandatory training for employees sign
    confidentiality statement
  • Lists prohibited SSN use
  • Primary identifier
  • Primary key
  • User account creation/login/password
  • Storage on non-University owned/operated
    equipment

7
Policy Concepts
  • SSN Protection
  • Physical as well as technical
  • Business associates (vendors, external agencies,
    etc.)
  • Implementation
  • Breaches
  • Departments may share in costs

8
Transition Steps
  • Identify SSN Use
  • Where is SSN being used?
  • How is it retained?
  • Who has access to SSN information?
  • Plan for Transition
  • Determine timeline
  • Prioritize remediation

9
Transition Steps
  • Communicate Plans
  • Internally
  • Externally (especially third parties)
  • Transition ASAP

SSN
10
Transition Steps
  • Share Progress
  • Share SSN Messages
  • Remediation, Protection Best Practices

11
Related Projects
  • Institutional Data Policy (in draft)
  • Requires classification of data into one of three
    categories
  • Unrestricted public data
  • Examples High-level Enrollment Statistics,
    Course Catalog, Current Funds Budget, Financial
    Statements
  • Sensitive - users must obtain specific
    authorization to access since the data's
    unauthorized disclosure, alteration, or
    destruction will cause perceivable damage to the
    university. Note All institutional data in the
    enterprise-level administrative systems is
    classified as sensitive unless otherwise
    indicated.
  • Examples Date of Birth, Ethnicity

12
Related Projects
  • Institutional Data Policy (continued)
  • Protected - highest levels of restriction should
    apply, both internally
  • and externally, due to the risk or harm that may
    result from disclosure or
  • inappropriate use. This includes information
    whose improper use or
  • disclosure could
  • 1. Adversely affect the ability of the university
    to accomplish its mission.
  • 2. Lead to the possibility of identity thief by
    release of personally identifiable information of
    university constituents.
  • 3. Put the university into a state of
    non-compliance with various state and federal
    regulations such as FERPA, HIPPA, GLBA, or Ohio
    Public Records Law.
  • 4. Put the university into a state of
    non-compliance with contractual
  • obligations such as payment card industry
    data security standards.
  • Examples Social Security Number, Patient Care
    Data, Credit Card Information

13
Related Projects
  • Legacy SSN Protection
  • Selected Student Reports remove SSN
  • Operational Data Store secure transmission
    mandate use of desktop encryption
  • BuckeyeLink assess security risks on student
    web applications fix
  • Credit Card Security Standards
  • http//www.treasurer.ohio-state.edu/staff/polsroc.
    htmlsectionC

14
Best Practices
  • Telephone Fax
  • Requesting/Accepting SSN over phone
  • Voicemail
  • Cover sheet for fax, redact if possible
  • Paper
  • Lock up with limited access
  • Destroy documents preferably cross-cut shred
    (follow Universitys retention schedule)

15
Best Practices
  • Remote access
  • Same rules apply use VPN or other secure
    transmission
  • New systems, applications or processes
  • Use alternative identifier (name.n, OSU ID, etc.)

16
Best Practices
  • Electronic (PC, laptops, PDA, etc.)
  • Email
  • Encryption Advanced Encryption Standard
    preferred
  • Screen saver/lock desktop
  • Password protection
  • No password sharing
  • Delete unused files
  • Shred or destroy CD, DVD hard drives

17
Contact Information
  • Project Director
  • Joyce Wagner
  • Wagner.21_at_osu.edu
  • (614) 247-8206
  • Project Team
  • buckeyesecure_at_lists.acs.ohio-state.edu
  • Web Site
  • http//cio.osu.edu/buckeyesecure/
Write a Comment
User Comments (0)
About PowerShow.com