CAN the SSN! Removing the SSN from UGA Information Systems

1
CAN the SSN!Removing the SSN from UGA
Information Systems

• Jim Metcalf
• Terry College of Business
• Ben Myers
• EITS - Office of Information Security

2
Credits

• Internal Audit / Presidents Office
• ITMF Security Committee
• EITS ADDM
• UGA ID Management Task Force
• Terry College of Business

3
Todays Goal

• We know that we want to get rid of Social
  Security Numbers, but we dont know how!
• Lets focus on how to remove
• And not get distracted by whether to remove

4
Overview

• SSN as ID Numbers (employee, student, etc.)
• Existing Systems
• New Systems
• Infosec Recommendation
• SSN in Data stores and processes
• Step-by-step
• Terry College of Business

5
Terms

• SSN Social Security Number
• CAN Card Access Number. The nine-digit UGA ID
  number. A.k.a. the 810 number
• PVI Publicly Viewable Identifier. UGAs next
  ID number according to the UGA ID Management
  Committee

6
Alternative IDs
7
Recommendation

• Use CAN (or custom if needed)
• PVI conversion should be simple, so worry about
  PVI when it gets here.

8
Removal for Existing Systems

• Plan your project select ID number system and
  decide whether to upgrade or replace
• Include all stakeholders and, regardless, be sure
  to work with EITS ADDM or ASG

9
Implement New Systems w/o SSN

• Plan your project select ID number system
• Include all stakeholders and, regardless, be sure
  to work with EITS ADDM or ASG

10
Completed or Ongoing Efforts

• Office of the Vice President for Research
• Athletics
• SSN out of the business process - EITS project
• SSN out of the classroom - 810 number on class
  and grade rolls

11
Removal from Data Stores

• Define
• Plan
• Find
• Mitigate

12
Removal from Data Stores

• Define
• Goal Eliminate or at least identify where SSNs
  are stored and securely manage
• Scope spreadsheets, databases, ms office docs,
  and even paper stores
• Stakeholders

13
Removal from Data Stores

• Plan
• What to do once found? Know retention factors
• BOR Manual
• E-discovery Rules
• Get permissions or credentials
• Select searching tools

14
Removal from Data Stores

• Find
• Tools workstation level, time consuming, varied
  effectiveness and output
• Spider
• Free from Cornell
• FindSSN
• Free from VaTech
• Nessus Professional Feed
• Need a license
• Infosec has a license. Contact us for a pilot
  program

15
Removal from Data Stores

• Mitigate
• Delete or Destroy
• Redact
• Convert
• Keep, but secure and monitor
• Manage Web Exposure
• Removal from Search Engines
• e.g. Google or Yahoo!

16
Example Data Cleanup Initiatives

• Ohio State University
• Virginia Tech
• Georgia Tech
• and
• UGAs Terry College of Business

17
Thanks for this update.  We are definitely
providing a link to the BOR retention schedule as
a resource.  We'll also let it be known that the
USG level is likely to produce some
recommnedations on electronic records this
Spring.-- Benjamin J. MyersRisk Management
and AwarenessEITS Office of Information
SecurityThe University of Georgiatel
706.542.0033fax 706.583.0890

• UGA ID Management Taskforce - www.idmanage.uga.edu
  /
• BOR Document Retention -www.usg.edu/usgweb/busserv
  /series/index.phtml
• E-discovery Federal Laws for Civil Procedure -
  connect.educause.edu/term_view/ESI2Band2BE-Disco
  very
• SSN DiscoveryTools
• Spider www.cit.cornell.edu/security/tools/
• FindSSN - www.security.vt.edu/findssnccn.html
• Search Engine Removal
• Google www.google.com/webmasters/tools/removals
  
• Yahoo! help.yahoo.com/help/us/ysearch/siteexplor
  er/
• Data Cleanup Efforts
• Ohio State buckeyesecure.osu.edu/
• VaTech - www.security.vt.edu/socialsecurity.html
• GaTech - datacleanup.gatech.edu/

18
(No Transcript)