Instructions for Units

Included below are the instructions and forms necessary for your unit to certify that it has met the requirements of the Social Security Number (SSN) Elimination Program, sponsored jointly by the Offices of the Chancellor and the Provost, and overseen by the Security Office within the Office of the Chief Information Officer.

If you have any questions about this program please contact Mike Corn, Director of Security Services and Information Privacy, at (217) 265-0588 or by email at securitysupport@uiuc.edu.

Below you will find:

• Instructions for compliance with the SSN Elimination Program
• Suggested text to be used to communicate the obligations of the program to faculty and staff in your unit
• Forms to collect the required data and signatory form for unit heads (department heads, directors of major units, Deans, heads of Service Organizations)

Program Description

The SSN Elimination Program requires members of the Urbana-Champaign campus to perform a one-time search of their computer workstations for electronic files that contain Social Security numbers and to either delete or securely archive those files. All faculty and staff are being requested to perform this search for this first year of the program; in future years, only individuals that have been officially granted access to SSNs or store or maintain SSNs will be required to perform this search.

To assist in this process, two programs have been created: Firefly for Microsoft Windows and Firefly4Mac for Apple OS X. A set of recommendations for other platforms has also been assembled. Firefly for Windows also scans files for credit card numbers and identifies files containing those numbers in the report produced.

In addition to running this search, units are being asked to assemble and maintain a list of individuals who have received authorization to access and/or store SSNs, as well as a list of electronic systems that store or manipulate SSNs. Finally, unit heads are being asked to sign a form certifying that their unit has executed the SSN Elimination Program to the best of its ability.

Program Rationale

Both SSNs and credit card numbers are protected by a number of federal and state regulations. These regulations require significant protections be put into place and specify our actions (and consequences) should either SSNs or credit card numbers be inappropriately released. The campus embraced these measures even before they were mandated, in order to best protect members of the University community from identity theft and related fraud. Failure to meet the federal and state regulations would result in very costly and disruptive measures being taken if either SSNs or credit card numbers were unintentionally released.

Since SSNs were historically used as a common person identifier in University systems, many individuals retain spreadsheets, class rosters, word processing documents, and databases with large numbers of SSNs. Faculty should also consider the possibility that research data could contain SSNs. Should any computer containing SSNs become compromised or "hacked" by attack from a computer virus (for example), all of the legal requirements surrounding the loss of SSNs come into play--this typically amounts to $75 per SSN in direct costs to the unit. The SSN Elimination Program is a intensive effort to seek out and eliminate SSNs from the general campus computing environment.

The loss of personal information (regardless of the circumstances) is felt very deeply and personally by those affected. The SSN Elimination Program is a positive step towards reducing these sorts of incidents. See the Daily Illini story Email Exposes Confidential File and comments on the article.

Unit Obligations

Units need to:

• Notify faculty and staff of the requirement to participate in the SSN Elimination Program
• Collect and maintain a list of individuals authorized to access SSNs (on the data form provided to units)
• Collect a list of applications or systems that store SSNs and develop either a business case for system retention or a plan for the retirement of these systems (on the data form provided to units)
• Assign unit-based IT Professionals to perform scanning on shared network file storage and other data infrastructure components
• Have the unit head sign and return the data form to the Security Office by March 14, 2008

Program Timeline

August 2007: Software scanning tools made available to IT Professionals
October 28, 2007: Software scanning tools made generally available to campus employees
January 14, 2007: Due date for scanning of systems by campus employees
February 14, 2007: Units perform internal reviews and follow-up
March 14, 2008: Signatures from unit heads certifying compliance due
April 1, 2008: Summary report provided to the Offices of the Provost and Chancellor by Security Office

Step by Step Instructions for Colleges, Departments, or Other Units

1. Plan Ahead

We strongly encourage that the unit head, business manager, and senior IT staff meet to discuss the execution of the program within the unit. The unit will need to make a number of decisions which should be documented in the following form.

• Who will be responsible for coordinating this project within your unit? We recommend this be assigned to the business manager or other non-IT individual within the unit.

• Which of your IT Professional staff will be responsible for handling the scanning of mass file storage? By what completion date? Note that a special policy exception has been created permitting unit-authorized IT Professionals to execute the scans.

• When the IT staff execute a scan over network file space, a list of documents thought to contain SSNs or credit card numbers will be produced. Who will be responsible for examining the suspect files? Will the IT staff, or will the document creator be asked to open and review the file? And who will make the decision on what to do with the file (delete, expunge, securely archive)? We recommend that the document creator handle this.

• Who will handle the decision to delete or securely archive files whose creators/owners left the unit?

• If the unit hosts electronic systems that store SSNs, they will need to either make plans for these systems' elimination or their retirement. If the unit feels they have a compelling business case as to why a system must continue, a formal business case must be submitted for consideration to the campus SSN Coordinator, who will review it with the Chancellor's Office.
• Who will identify the systems that store SSNs, and how will the decision be made about retiring identified systems, or whether special exemption to continue running these systems will be granted? Only in exceptional situations will permission be granted to maintain and store SSNs in an electronic system, and when permission is granted, exceptional security measures will be required. We strongly recommend the elimination of the SSNs from these systems, including historical records.

• Most units' central business offices will have access to personnel and similar records with SSNs. What steps will the office take to ensure these records are appropriately secured? Are University records maintained in accordance with the University's record retention schedule?

• If faculty or staff have questions or problems running the scan or responding to the results of a scan, who will they be directed to call? The CITES Help Desk is prepared to assist, but many users should call their local IT staff for assistance.

2. Communicate Requirements

We recommend that the unit head communicate the requirement to participate in the SSN Elimination Program to their staff. Included is a draft of suggested text that the unit may send as is or choose to customize. Please do not hesitate to contact the Security Office directly at securitysupport@uiuc.edu if you have any questions about this program.

3. Examine mass storage of files

Your IT Professional staff are best suited to execute a scan for files containing SSNs or credit card numbers over your mass storage devices. We do not recommend that backup tapes be scanned; however, all networked or network accessible file storage should be examined. This is an excellent opportunity to secure or destroy old backup tapes. IT staff should provide the file creators with summaries of their working or home directories that have files suspected to contain SSNs or credit card numbers.

Huge file systems may take considerable time to scan even using the Firefly utility. Your IT Professional staff should feel free to adopt scanning strategies that minimize disruptions to their schedule and system performance. Please be sure to consult with your staff on how much release time they will need from normal duties to complete this task.

4. Complete the collection of required information

This project requires each unit to list every electronic system they maintain that stores or collects SSNs. The University SSN Policy requires the authorization by the campus SSN Coordinator to use SSNs in electronic systems. The form included in this package provides a convenient location to list the critical information about each of these systems.

In addition, units are required to maintain a list of individuals within the unit that have access to SSNs in Banner or the Enterprise Data Warehouse. Please work with your AITS Unit Security Contact to collect this information. Access to SSNs is prohibited by university policy for all individuals not expressly authorized to do so. This information should also be initially collected on the provided form. Note that individuals authorized to access or store SSNs will be obligated to repeat this program in future years.

Submission of Information and Compliance

The final signed forms should be sent via campus mail no later than March 14, 2008 to

SSN Program c/o Security Office
1506 Digital Computing Lab
mc-256