UC Santa Cruz - Information Technology Services - UCSC Information Security - Security & Technology Policies and Guidelines - Model for Social Security Number Scanning on Campus Systems


Home About ITS Services ITS News Policies Governance ITS Staff Site Jobs Find An Answer Feedback

Security Information

Security Awareness

Security Resources

UCSC | Campus Safety

Web Statistics by Google Analytics

Model for Social Security Number Scanning on Campus Systems

Home UCSC Information Security Security & Technology Policies and Guidelines Model for Social Security Number Scanning on Campus Systems

Printer-friendly format (PDF, 20K)

General Methodology for Performing Scans for Personal Identity Information (PII) Data, e.g. SSN

Users:

Users may scan their own systems for PII data.

Scan results may contain PII and must be protected and disposed of accordingly.

Service Providers and Unit/Departmental Managers:

Prior to performing a scan for PII data on any system, Service Providers or Unit/Departmental Managers must

Provide advance notification of the scan to all individuals, managers and system stewards whose data will be scanned

Provide an option for individuals to request an exemption from the scan, to remove or exclude personal or electronic communications files from the scan, and/or to choose to scan their own systems themselves

Advance notification must be sufficient to realistically allow individuals to exercise these options.

Service Providers and Unit/Departmental Managers must adhere to the following agreements with respect to scan results:

Assure a practice of least perusal and retention of scan results

Consult with user/data owner (if known) on scan results indicating potential PII

Proper protection and disposal of scan results

UCSC IT Security:

As part of UCSC’s standard IT incident response procedure, UCSC IT Security is authorized to scan for PII data on any system in response to a security breach or compromise. The system steward (or the data owner in the case of a non-shared system) shall be notified prior to performing the scan. IT Security must adhere to the above agreements with respect to scan results as applicable to a given security investigation.

Authorization for Performing Scans for PII Data

Individuals:

Individuals are authorized to scan their own systems for PII data.

Service Providers:

Service Providers are authorized to scan for and access PII data on systems for which they have administrator privileges, with the permission of the system steward or data owner.

Note: for departmental systems or servers with shared data, the system steward is the departmental manager.

Unit/Departmental Managers:

Unit/Departmental Managers are only authorized to scan departmental systems for which they are the system steward, and must comply with the terms outlined above for these scans. Unit/Departmental Managers are not authorized to scan other systems, including individual users’ systems, without the explicit consent of all parties whose data will be scanned.

UCSC IT Security:

UCSC IT Security is authorized to scan for PII data on any system in response to a security breach or compromise as part of UCSC’s standard IT incident response procedure.

Related UC Policy

University of California Electronic Communications Policy (ECP):

The UC ECP homepage includes links to the ECP, ECP User Advisories, ECP Implementation Guidelines, and other related documents: http://www.ucop.edu/ucophome/policies/ec/

Rev. 4/13/06