January 25, 2009

Memorandum

To: Deans, Directors and Department Heads

CC: Subnet managers

From: Rick Miranda, Interim Provost

RE: Scans/rescans for sensitive information, including SSNs

As you are aware, CSU is diligent about protecting individuals’ privacy. To protect CSU constituents from possible identity theft and in compliance with numerous laws and directives, in 2007 the University transitioned away from SSNs to new CSUIDs as primary identifiers. Subsequent to that, files containing SSNs were to be removed from systems. Two years ago, in 2007, individuals attested they had removed SSNs from their systems. Last year, in response to discovery on servers of numerous files containing SSNs, IT staff conducted scans/rescans for SSNs of files on servers accessible from the Internet. That exercise uncovered over 900,000 SSNs in tens of thousands of files. Since the second effort revealed so many SSNs, I feel it necessary to rescan servers as our next exercise in this direction Therefore, units are to proceed as follows:

1.  Units are required to scan/rescan all servers accessible from the Internet for SSNs. At the same time, such scans should also be configured to discover other sensitive information, including Credit Card Numbers (CCNs). ACNS will assist units in this endeavor with tools, training in how to use those tools, and consultative support.

2.  IT staff are then to work with users to purge SSNs and CCNs from files. Users may store them off line if it is necessary to retain them. Again, if SSN occurrence is incidental and difficult to access (e.g. individual SSNs ‘buried’ deep inside email files), these need not be purged.

3.  IT staff are to enumerate results and report them back to ACNS, just as last year. ACNS has modified its reporting form based upon suggestions from the ITEC Advisory Council (see http://ssnscan.colostate.edu).

4.  Units who must retain SSNs and/or CCNs shall reapply for an exception and return that exception from to ACNS, who will again work with such units to ensure these systems are properly protected from unauthorized access. (see http://ssnscan.colostate.edu for exception request form)

5.  Units are to make every effort to complete this exercise by May 15, 2008.

6.  Given the level of effort required from IT staff, other claimant priorities, and the uncertainty in our funding environment, at this time, units are not required to extend scans to desktop and laptop computers. However, this decision may subject to reexamination based upon further analysis, including results from the scans/rescans.

If you have any questions concerning this exercise, please feel free to contact Pat Burns, VP for IT, , 491-1833.

Please continue to comply with university policy that prohibits storing any sensitive personally identifiable information, especially Social Security Numbers, on IT systems in order to protect our constituents. Thank you for your continued support as we progress with this important initiative.