Social Security Number Elimination Policy
Faculty, Students and Staff--
The University of Nebraska at Kearney is the custodian of confidential data for students and employees and we acknowledge our responsibility to secure confidential data for the protection of our constituents. We assign to students and employees the NU-ID, a number designed to replace the Social Security Number as a unique identifier.
The University of Nebraska at Kearney will not use Social Security Numbers to identify students, employees, or other persons with a UNK relationship, except for those uses required by law, such as payroll, benefits, and financial aid. Social Security Numbers can be used to obtain non-public information, such as employment, credit, financial, health, motor vehicle, and educational information that would be harmful or an invasion of privacy if disclosed. Our goal is to prevent unauthorized use of or access to confidential data and Social Security Numbers.
Neither the Social Security Number nor any portion of the Social Security Number will be collected, stored, or transmitted by university services or using university-owned equipment unless its use is authorized in writing by officials designated by the Chancellor. Departments or individuals who are authorized to collect, store, or transmit Social Security Numbers will follow guidelines to secure such data as established by the Assistant Vice Chancellor for Information Technology.
Failure to comply with this policy after January 1, 2008, may result in disciplinary action by the University.
Your cooperation is greatly appreciated. Thank you.
Douglas A. Kristensen, Chancellor
Chancellor Kristensen instructed all departments to be in compliance with the UNK Social Security Number Policy as of January 1, 2008.
- Identify documents and processes within the department that use social security numbers and make plans to replace the social security number with NU-ID. These documents can be paper or electronic.
- Identify forms used by the department that request social security number and remove the social security number field or replace it with NU-ID. If the social security number is required, request an exemption from the policy from Information Technology Services.
- Do not send social security numbers via email unless the email message is encrypted. Encryption may not be possible if email messages are destined for off-campus addresses.
- Paper documents with social security numbers should be stored in locked cabinets in a locked room.
- Paper documents that have been retained beyond the date specified in the NU records retention schedule should be destroyed, preferably by cross-cut shredding. If the volume of documents to be destroyed is large, the department should develop a plan and timeline for destruction of the documents. There are vendors that provide document destruction/disposal service for a fee. Contact the Vice Chancellor for Business and Finance for additional information. Until the documents are destroyed, they should be protected as described above.
- Identify removable media, such as flash or jump drives, floppy disks, CDs, zip disks, etc. that store social security numbers. Keep such media in a locked cabinet in a locked room, similar to paper documents. If the removable media is no longer needed, physically shred or destroy the media to dispose of it.
- Apply for an exemption from the Social Security Number Policy if you must retain documents, either paper or electronic, with social security numbers.
- An exemption request is NOT required for direct access to SAP/HR and SIS application data. However, if you have social security numbers from these systems stored on your workstation or removable media, an exemption must be requested.
- An exemption request is NOT required for paper documents for SAP/HR and SIS that are stored in locked filing cabinets and locked rooms and shredded when no longer needed. However, if you have social security numbers from these forms stored on your workstation or removable media, an exemption must be requested.
- Exemptions that are granted will be reviewed annually.
SSNs and other personal identity information are confidential data and the theft and/or unintentional compromise of such data has become a major issue in higher education. The Chancellor has charged UNK to eliminate all non-essential use of SSN by January 1, 2008. Exceptions must have the Chancellor's approval.
- Complete the form online with the exception of the Department Head signature box.
- Print the completed form.
- Department Head signs the form and forwards to:
- Deb Schroeder
- Assistant Vice Chancellor for Information Technology Services
- 114 Otto Olsen
- University of Nebraska Kearney
- Kearney, NE 68849
Information Technology Services will review the form and forward it to the Chancellor for approval.
Purpose and Audience:
The University of Nebraska Kearney recognizes the increased concern about individual privacy and the risk of identity theft. The Social Security Number (SSN) is classified as private data. The protection and confidentiality of the SSN is covered under Regents policy, federal law, and state law. Historically, the SSN has been employed to help identify and match records. However, current directives discourage this practice and make use of the SSN subject to approval. This procedure is intended to specifically address issues related to the use of the SSN in university systems, including self-service applications and departmentally administered systems. Our objectives are to:
- Eliminate the collection of the SSN except where required by law.
- Eliminate the use of SSN in data systems, including display pages and reports.
- Require the use of an exemption request when using or storing the SSN.
- Increase awareness about the concern for privacy and the risk of identity theft related to the disclosure of the SSN.
The University is required to collect the SSN for a variety of legally mandated activities (e.g., income tax reporting, federally supported financial aid). All such cases, including existing systems, must be documented, reviewed, and approved by the Assistant Vice Chancellor of Information Technology or designee.
One Request Per Application
An exemption request must be made for each application that you own, run, and/or utilize if that application uses SSNs. The application may be specific to the function of your office. It may be a "shadow system" with an associated data base and/or data files. It may be a test version of an application. Or it may be a Word document or Excel Spreadsheet. (State law prohibits the use of employee SSNs to identify employees except for those uses required for tax and benefit purposes.)
New Applications Require New Requests
An exemption request must be made for any new application that will utilize SSN. The exemption request should be submitted before the purchase of the application. At test version of an application will require its own exemption request.
Employees with accounts for accessing SAP/HR and SIS do no need to request exemptions for SAP/HR or SIS access. If you extract SSNs from SAP/HR and/or SIS and store those SSNs on electronic devices, such as your desktop, network storage, flash drive, or other mobile device, you must submit an exemption request.
Exemptions are granted for one year and will be reviewed annually. Exemptions must be submitted annually.
Download Request Form.
Protecting the nonpublic personal information of our employees and students is an important responsibility. The practices listed below can help us ensure that information stays protected.
- Email is a primary method for attacking your computer. It is easy for an attacker to send a message that will infect your computer, even if you do not read or preview it. This is why antivirus software is essential.
- Use encrypted email or do not send confidential information.
- Do not open attachments you are not expecting.
- Do not click on links to web pages that arrive in email.
- Report any suspicious email messages you receive to the ITS Helpdesk.
- Keep your preview pane closed.
- Never respond to spam—even to “unsubscribe.”
- Sensitive communication via email poses real risks. The most common disclosures result from email accidentally sent to the wrong person. Therefore, use special care when addressing email with sensitive information. For highly sensitive data, choose methods other than email.
- Use special care when faxing sensitive information. Be sure that the fax number is correct and that someone on the other end will promptly retrieve the faxed document.
- Use special care when handling paper documents. Do not leave documents with social security numbers on your desk when you leave. Do not share social security numbers over the telephone when your conversation can be overheard by others.
- Choose a strong password—one that is difficult to guess. If you think your password has been compromised or shared, change it immediately.
- Do not share passwords and do not allow anyone to work on a computer that you have logged into.
- Recognize when your computer may be compromised. It is often difficult to recognize when your computer system has suffered a security compromise. If you notice your computer behaving slowly, rebooting by itself, or exhibiting any unusual behavior, notify an IT support person.
- Avoid risky web and email activities:
- Be skeptical of email and web sites that ask you to provide personal information, such as social security number, to download software or files.
- Confirm that an embedded web link in the body of an email goes where it is expected to go before you click on it.
- “Free stuff on the Internet is like candy from a stranger.” Be aware that seemingly harmless games, utilities, and other “fun stuff” can work behind the scenes and install spyware or other malicious software (malware) on your computer. They can harbor viruses and even open a “back door” giving access to your computer.
- Identity theft is the intentional use or theft of a person’s private information to obtain goods or services. Any purchase at a web site or any online transaction, such as online banking, increases your risk of identity theft. Take precautions to ensure the confidentiality of your private information.
- Only download from well-known software vendors.
- Any security incidents involving systems that store and/or have access to social security number must be reported promptly to the Information Technology Services Helpdesk. Security incidents include, but are not limited to, virus infections, spyware infections, rootkits, compromises such as hacks and inappropriate use, and lost media or lost computing devices.
This checklist is provided as a tool to help you in making sure your department is complying with the University's Social Security Number Elimination Policy.
- Review your security processes and procedures annually.
- Applications, services, or forms that collect, store, or transmit social security numbers can not be commissioned without written approval from the Assistant Vice Chancellor for Information Technology.
- Annually update the departmental inventory of documents, both paper and electronic, containing social security number.
- Maintain an access control list to identify each person with authorized access to social security numbers.
- Require new employees to read university and departmental security policies.
- Instruct all employees on basic workstation security and document storage policy.
- Review the University Password Policy
- Strong passwords are recommended. They are difficult for a human or a computer program to guess and have letters in both upper and lower case, numbers, and special characters, and do not consist of words found in a dictionary or that are part of the user’s own name.
- Accounts should not be shared among users.
- Generic accounts should not be utilized.
- A timed lockout mechanism such as a screensaver that requires re-authentication should be used.
- Passwords must be changed any time a system is compromised.
- Servers storing social security numbers must be appropriately secured and managed.
- Servers storing social security numbers must be located in the ITS server room. Exceptions may be granted by the Assistant Vice Chancellor for Information Technology.
- Servers may be periodically scanned to verify that social security numbers are not being stored in an unsecured manner.
- Servers storing social security numbers are subject to periodic vulnerability scans.
- Servers should support a single application.
- Use of servers for tasks other than their intended use is prohibited.
- All servers that store social security numbers must have antivirus software enabled and updated.
- Workstations storing social security number must be appropriately secured and managed.
- Workstations and portable devices storing social security numbers must use full disk encryption. This applies to all devices whether they are owned by UNK or by the user. The data encryption standard will be specified by Information Technology Services.
- Workstations may be periodically scanned to verify that social security numbers are not being stored in an unsecured manner.
- Devices storing social security numbers are subject to periodic vulnerability scans.
- All workstations that store social security numbers must have antivirus software enabled and updated.
- If social security numbers are accessible over a network, connections that will encrypt the data during transfer, such as VPN, Secure FTP, Secure emulation software, or SSL are recommended. Note that a remote desktop is not a VPN.
Spider software Searches your PC for social security numbers.
Spider 4 is software the scans and detects Social Security Numbers located on your computer.
**The following tutorial was created using Mozilla Firefox on Mac OSX Yosemite 10.10. If you use a different browser or are on a different version of operating system the instructions may vary**
Step 1: Click on the link below to download the Spider 8 software for Mac OSX.
Click here to download
Step 2: If using Mozilla Firefox, a window will pop up asking you what you want to do with the file. Select Open with: DismImageMounter and select Ok.
Step 3: The disk image will be mounted and placed onto your desktop. Locate the Spider_OSX disk and open it. Inside of the disk you will see a Spider app icon.Right-click on the Spider icon and open the program. You may be prompted to "Open" the program one additional time.
Step 4: Another window will open and you will be asked to run the program. Click on Run Spider. It could take anywhere from 15 minutes to several hours for Spider to scan your entire computer.
Step 5: After your scan for confidential data is complete, you need to decide what to do with the results.
Spider for the Mac creates a file called Spider.log. The default application used to view the file is Console, but it's usually easiest to rename the file with a .csv extension and then open it in Excel.
The log file may contain a lot of false positive results. You may want to pare down the list before you start checking individual files.
- It's usually safe to ignore any file whose name contains /library.
- Focus on files that are either Office documents or e-mail.
After you remove some of the obvious false positive files, check the list of files that were flagged as potentially containing confidential data:
- If the file does not contain confidential data (false positive), you can ignore it.
- If the file contains confidential data and you are sure you no longer need it, you should securely erase it. Put the file in the Trash, and then from the Finder menu, choose Secure Empty Trash.
- If the file contains confidential data that you may need to continue storing on your computer, contact your technical support provider, who can tell you what to do with it (based on local practices).