Protecting Sensitive Information at UH
The University of Hawaii (UH) is committed to protecting the personal, confidential information that it is entrusted with. Beginning in 2004, UH has implemented the UH Number as a unique, personal identifier as a replacement for Social Security Numbers. However, some business operations such as payroll and tax reporting still require use of Social Security Numbers. UH must also comply with local and state laws and federal requirements such as but not limited to: FERPA, HIPAA, PCI, FTC and FISMA.
UH Executive Policy E2.214: "Security and Protection of Sensitive Information" defines what sensitive information is and governs how sensitive information must be protected. The complete policy can be found online at: http://www.hawaii.edu/apis/ep/e2/e2214.pdf
Specifically, sensitive information is information that is subject to privacy considerations or has been classified as confidential and subject to protection from public access or inappropriate disclosure. Examples of Sensitive Information include but are not limited to:
1) Student records, including anything protected by the Family Educational Rights and Privacy Act (FERPA)
2) Health information, including anything covered by the Health Insurance Portability and Accountability Act (HIPAA)
3) Personal financial information such as credit card numbers, bank account information, debit card numbers, etc.
4) Job applicant records (names, transcripts, etc.)
5) Social Security Numbers
6) Dates of birth
7) Private home addresses and phone numbers
8) Driver license numbers and State ID Card numbers
9) Access codes, passwords and PINs for online information systems
10) Answers to "security questions" such as "what is the name of your favorite pet?"
11) Confidential information subject to attorney-client privilege
12) Detailed information about security systems (physical and/or network)
13) Confidential salary information
14) Information made confidential by a collective bargaining agreement
Social Security Numbers are especially sensitive because of their use to commit identity theft. A Social Security Number (SSN) may not be used as an identifier in any new UH information system, and its use as an identifier shall be phased out in all existing systems. The SSN may be included as a data element in an information system only where it is required for financial processing (e.g., payroll or student tax reporting) or other uses consistent with State and Federal law and its inclusion shall be phased out in all other systems.
Any UH employee or UH affiliated individual that accesses UH sensitive information must sign the UH General Confidentiality Notice (http://www.hawaii.edu/ohr/docs/forms/uh92.pdf)
If you retain Social Security Numbers for official UH business, it must be reported in the State of Hawaii Annual Personal Information Survey as required by Hawaii Revised Statute (HRS) 487N. UH has implemented an online system for reporting of any repositories or collections (paper and electronic) of Social Security Numbers. To report a repository of SSNs, go to: http://www.hawaii.edu/its/information/survey/ (You will be required to login with your UH username and password.)
Any repository of Social Security Numbers must be approved by the Chancellor (or their designee) of the campus.
Any electronic repository of sensitive information must be secured in compliance with E2.214. The information must be:
- encrypted (PC guidelines, Mac guidelines)*
- stored on a computer that complies with basic computer security standards
- de-coupled/de-identified whenever possible
[*see E2.214 for more information if data CANNOT be encrypted]
Personal Information Protection Program: Server Registration, Identity Finder Software
To assist with protection of personal/sensitive information, UH Information Technology Services (ITS) will be identifying servers, requiring servers be scanned for SSNs and credit card numbers, and for vulnerabilities. Any file server, web server, email server, or FTP server must be registered with ITS. The server registration database is located at: http://www.hawaii.edu/its/server/registration/
To facilitate the finding of SSN and credit card numbers, ITS has licensed Identity Finder. Information about using Identity Finder at UH can be found at: http://www.hawaii.edu/its/idfinder, General information about Identity Finder is available on their company website (no registration needed): http://www.identityfinder.com/
Identity Finder will be distributed in two forms: 1) servers and 2) workstations.
Servers: To receive a copy of the software for servers, please register your servers at: http://www.hawaii.edu/its/server/registration/ . Registration of servers is required. During the registration process, you will be able to request a copy of Identity Finder. Once you submit your list of servers to be scanned and if you requested a copy of Identity Finder, you will receive an email with a link to the Identity Finder download page which contains more detailed information on installing and running the software. Note that Identity Finder is available for Windows and Mac operating systems. If you have a unix/linux system, you will need to use another utility: Find_SSN: http://www.hawaii.edu/askus/1323 Another option is to mount the filesystem on a Window or Mac system, you can run Identity Finder on that Windows or Mac system and have it scan the mounted filesystem. Information about Identity Finder for Mac or Windows is available at: http://www.hawaii.edu/its/idfinder
A list of Frequently Asked Questions on server registration requirements can be found at: http://www.hawaii.edu/askus/1305
Workstations: Downloads for workstation versions are available from the UH software download page (you will need to login with your UH username and password): http://www.hawaii.edu/software
OpenVAS: To scan your computer for vulnerabilities, please use the OpenVAS web interface: http://openvas.hawaii.edu/cgi-bin/myopenvas
This is an open-source vulnerability scanning tool that will return a fairly detailed, technical report. For a less technical vulnerability scan, please use the free, online Symantec Security Scan at: http://security.symantec.com/ and click on "Continue to Symantec Security Check".
The OpenVAS interface will only scan the computer that you are currently using. If you are responsible for multiple computers, please email: firstname.lastname@example.org for more information.