CASE.EDU:    HOME | DIRECTORIES | SEARCH
case western reserve university

INFORMATION SECURITY

 
 

Case Cyber Security Awareness: 2007-2008


Overview

Case announces National Cyber Security Awareness Month on October 1, 2007, with a number of campus events to stimulate thoughts and discussion on the specific topic of

Identity Theft and Identity-Based Fraud Protection

ssn farwell poster



New SSN Use Policy

Case Western Reserve University announces the kickoff of a policy for the use SSNs in administrative processes and IT systems.  This policy was commissioned by the University Provost and developed by a sub-committee of the Case ITSPAC over the 2006-2007 calendar year and was approved in late Spring 2007.  Some of the key criteria for using SSNs are for employment,  financial aid,  IRS reporting,  and academic record tracking.

Coupled with the transition to the new Student Information System, the next 8-12 months represents a buffer period where the university moves from SSN use as an identifier in both administrative processes and supporting IT systems to the use of the EmployeeID/StudentID.  Our legacy mainframe student system was built with business rules around the SSN as the student identifier, and its use is the rate-determining step in the entire university transition away from SSNs.  The current plan for transition of student ID to the new EmployeeID/StudentID is after June 2008.  The current ISIS system will still be the "system of record" until the new Student Information System has been brought fully online.

With the legacy of using SSNs in many processes, there is the strong potential that data of this sensitivity level is still resident in many university data systems.  Therefore, the university will engage all Case students, faculty, and staff in playing a part in the move to improve the handling and security of Tier 3 information such as SSNs.



5 Key Steps to protect sensitive data* and your identity

1.  Inventory
Inventory where personal data and information are kept.  Use this procedure to find SSNs in your IT environments, on hard drives, and in file servers.  For faculty and staff, identify workflow and business processes that use SSN to identify persons.  Need help? Contact security@case.edu for audit assistance.

2.  Scale Down
Scale down your SSN use to be compliant with university policy.  Contain the files you need to keep that have this type of data in them.  Note that student idenfiers will still use SSN until after May 2008.  Protect this data from disclosure or loss.

3.  Lock It Up
Protect the data from disclosure and the threats.  Secure documents in locking file cabinets, remove IT systems from open access (physical and network).

4.  Dispose of Unneeded SSN-based Data. 
If it is not needed for financial or legal purposes, it is time to make the process changes necessary.   Get rid of old SSN-based data files in your IT environments.    Shred paper copies of old class lists or grade books that are no longer pertinent to current operations.

5.  Plan
Plan for implementing Tier 3 Controls for SSN-based data or for transitioning to using the EmployeeID/StudentID (emplid) as the primary identifier.

What do we use in the interim if the student processes still use SSN?
These are the current 'approved' identifiers, in descending order of preferential use:
  1. Name (last, first)
  2. EmployeeID (also called 'emplid')
  3. Case Network ID (abc123)- for students that don't yet have a new StudentID
  4. Badge Number from your Case ID Card
  5. SSN (for students until the new student system is fully in place as the sysetm of record)



SSN Use Forum

We hosted a forum for all campus users to discuss where and when SSN transitions are to be made.  The forum was held at 10:00 AM, October 26, 2007, in the Ford Auditorium, Allen Memorial Library.  A panel of members of the ITSPAC Subcommittee that developed the policy will be present to provided directions and answer questions.  If you missed this event, it is available on tv.case.edu.




Castle Cops



Phishing is not your phriend

A significant threat vector of theft of personal information is via phishing.  Okay, most Case people won't get snookered by a phishing email, but you can be a part of the solution.  Paul Laudanski of CastleCops will be our guest speaker to address the Phishing Incident Response Team and its role in reducing identity-based and financial fraud.  This presentation is scheduled for 4:00 PM, October 18, 2007, in the Ford Auditorium.  If you missed this event, it was recorded by the ITS MediaVision group and is available on tv.case.edu.



Case Paranoid Geeks
Be a real geek and play the ISS Security Game.

Recognition
*Based on guidance from the Federal Trade Commission.