[Micronet] Social Security Number policy change and next steps

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[Micronet] Social Security Number policy change and next steps

Ryan L. Means
Good afternoon,

In a recent letter to Chancellors, University of California President
Yudof called upon each of us to reduce serious risk to the University by
reducing or eliminating the use of Social Security Numbers (SSNs) at our
Campuses.  In support of that important appeal, Berkeley must take
immediate action to review and change our academic and administrative
processes to eliminate the collection, use or storage of SSNs except in
very limited circumstances.  This includes old or new records, paper or
electronic, for all Campus processes, including those in research,
instruction, and administration.

As of July 1, 2010, new Campus policy requires approval for all
electronic processes that collect, use, or store SSNs.  See the “Campus
Online Activities Policy” section on “Privacy and confidentiality of
information”:

*Social Security Numbers*
All Berkeley Campus units are required to obtain CIO approval for all
processes that collect, use, or store Social Security Numbers associated
with individuals.  This requirement augments other existing Campus and
UC policies protecting confidential information, including the Berkeley
Campus Minimum Standards for Electronic Information and the University
of California Electronic Information Security Policy, IS-3.

Today’s Chancellor’s memo to Deans and Directors (copy attached)
requests that by September 30th, 2010 these individuals perform an
inventory of business and academic processes that collect, use, or store
SSNs and ensure that these processes are documented, reviewed, and that
approvals are requested where necessary. Clearly, a portion of this
inventory will involve assistance from Information Technology staff that
support the unit; however, it is important for you to communicate with
your business and academic partners that the policy requires a process
inventory, rather than a comprehensive data or technology inventory. By
attacking the proliferation of Social Security Number data at the
source, I believe that the campus will be able to shore up the poor
processes that continue to contribute to data breaches.

I request your assistance in coordinating with your leadership in
executing this process review in the following ways:

* The Deans and Directors memo specifically asks campus leaders to bring
Campus Administrative Officials such as Deans, Directors, MSOs,
Department Chairs, and PIs (process owners) and IT staff together to
surface processes that collect, use, or store SSNs and discuss a
strategy for compliance. Please participate in these discussions.

* As a part of a review, you may need to conduct scans for SSN data on
servers and workstations. When doing so, please refer to the “Guidance
for Departments Scanning for SSNs Stored on Servers and Workstations”
(copy attached) to ensure that your scanning program complies with UC
and campus policy.

* When processes are identified that require approval, the process owner
will need to submit a request for authorization to IT Policy. Before
this request is granted, we will contact you to discuss the systems that
support the process and security controls that are in place. Any system
that stores or processes SSNs will be also placed in the queue for a
future Data Security Review.

* Next week I will be sending out information to Deans and Directors
about systems that are registered in RDM and therefore likely areas to
seek an intersection with processes that collect, use, or store SSNs. If
you would like to ensure that your leadership is aware of these systems,
please register them in RDM by Wednesday, June 30th.

For information about the online SSN approval request process, or
guidance regarding the technical requirements for your academic and
administrative systems, contact [hidden email] or  Interim
Chief Privacy and Security Officer Ryan Means (643-7862).

Thank you,

Ryan

--
Ryan L. Means
Interim Chief Privacy and Security Officer
University of California, Berkeley


 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.

D&D SSN Memo.pdf (374K) Download Attachment
Scanning Guidance.pdf (389K) Download Attachment