October 18, 2007

New university policy to eliminate use of social security numbers in administrative and ITS systems

What would you do if you opened an e-mail attachment that turned out to contain a virus?

What would you do if someone obtained your social security number and used it to access personal information and alter records?

Would you know what to do or who to call?

October is National Cyber Security Awareness Month and the opportunity for anyone who owns or uses a personal computer to take steps to ensure that their systems and information therein is secure against potential viruses, identity fraud or other online crime.

Using the theme, "Protect yourself before you connect yourself," the Case Western Reserve University Information Technology Services (ITS) office this year announced a change in policy for the use of social security numbers in administrative processes and IT systems.

The policy change is the result of a yearlong study commissioned by former Provost John L. Anderson and developed by a subcommittee of the Case Information Technology Services Planning and Advisory Subcommittee co-chaired by Tom Siu, chief information security officer and Pamela Lebold, director of audit services.

The subcommittee was commissioned to review standards, polices and practices related to funding, management, deployment and assessment of information services used to support campuswide and school-based academics, programs and research. The subcommittee reviewed the university's use of social security numbers and made its policy recommendation this past spring.

According to Siu, approved use of social security numbers are typically only for employment, financial aid, IRS reporting and, at Case, for academic record tracking.

"We wanted to get away from using social security numbers as a means of authenticating student and employee information and come up with other good authentication method, Siu said. "When the transition is complete, we will no longer be using social security numbers as a way to identify an individual."

Siu said the practice of using alternative identifiers is employed at many universities and colleges. Not using them is a practical way to protect individuals from identity fraud due to possible data breaches and other disclosures.

New Student Information System Project

In addition, this shift in policy will coincide with the university's transition to the new Student Information System(SIS) over the next eight to 12 months. The SIS project is the final step of the university's multiyear plan to replace an outdated mainframe administrative system with a new database driven system with a Web-based user interface. The new SIS will provide improved academic services to students, faculty and staff, including course registration processes, grade reporting and transcripts, academic advising and degree progress reports. In addition, the new SIS will offer better information security, as the university will no longer rely on social security numbers as the primary student identifier.

The new SIS has been rolled out in stages and is on schedule to go live in March 2008, in time for students to pre-register for the summer and fall 2008 terms.

Although the process is administrative in nature, Siu said the entire campus would reap the benefits. The key now is to locate and purge all social security numbers from the university's business processes. "Some people still have files with student information from the late 1990s which were full of social security numbers, dates of birth, names, addresses; enough information to really facilitate identity-based fraud. That was how business was done then. We're making the change," he said.

A series of programs will be held throughout the month to educate the campus about the policy and general computer security measures that are being implemented.

Ways to Categorize Types of Information

The subcommittee has adopted a three-tiered approach to categorize information types and level of sensitivity. These categories are derived from the Federal Information Processing Standard 199 (FIPS 199). The tiers -- unrestricted, university internal and restricted -- are determined based upon risk to the university in the areas of confidentiality, integrity and availability of data in support of the university's mission. Information (or data) owners are responsible for determining the impact levels of their information.

For example, information listed in Tier-1 or unrestricted information would include news, general communication, budget information and publications when approved for disclosure, name, job titles, work location, class year and degrees, dates of enrollment, among other data.

Tier-2 information would include strategic plans, internal only communications, Visa status, citizenship and photographs from the student directory. Examples of Tier 3 or restricted information are birth date associated with a person's name, Case network ID associated with passwords and electronic personal health information. Information in this category must meet the most stringent controls in the university environment to address confidentiality issues that include physical security of the IT systems where the data resides.

Students and employees can assist in this process by determining the impact levels of their information. Once implemented, the standards will be reviewed every two years on the anniversary of the policy to ensure it remains applicable.

Top Eight Cyber Security Practices

With access to the Internet 24/7, all computer owners and users should take the necessary precautions to guard against those individuals and groups who seek to exploit the Internet through criminal behavior or other harmful acts.

The National Cyber Security Alliance has issued the top eight cyber security practices. They are essentially good habits that should be followed any time one connects to the Internet. These practices are:

  • 1. Protect your personal information. It's valuable.
  • 2. Know who you're dealing with online.
  • 3. Use antivirus software, a firewall, and anti-spyware software to help keep your computer safe and secure.
  • 4. Be sure to set up your operating system and Web browser software properly, and update them regularly.
  • 5. Use strong passwords or strong authentication technology to help protect your personal information.
  • 6. Back up important files.
  • 7. Learn what to do if something goes wrong.
  • 8. Protect your children online.
Learn more by visiting the National Cyber Security Alliance Web site.

For more information, contact Marsha Lynn Bragg, 216-368-6949.

Posted by: Marsha Bragg, October 18, 2007 09:42 AM | News Topics: Administration, HeadlinesMain, Provost Initiatives, Staff, Technology

Case Western Reserve University is committed to the free exchange of ideas, reasoned debate and intellectual dialogue. Speakers and scholars with a diversity of opinions and perspectives are invited to the campus to provide the community with important points of view, some of which may be deemed controversial. The views and opinions of those invited to speak on the campus do not necessarily reflect the views of the university administration or any other segment of the university community.