Protecting Sensitive Information at UH
The University of Hawaii (UH) is committed to protecting the personal, confidential information that it is entrusted with. Beginning in 2004, UH has implemented the UH Number as a unique, personal identifier as a replacement for Social Security Numbers. However, some business operations such as payroll and tax reporting still require use of Social Security Numbers. UH must also comply with local and state laws and federal requirements such as but not limited to: FERPA, HIPAA, PCI, FTC and FISMA.
UH Executive Policy E2.214: "Security and Protection of Sensitive Information" defines what sensitive information is and governs how sensitive information must be protected. The complete policy can be found online at: https://www.hawaii.edu/policy/?action=viewPolicy&policySection=Ep&policyChapter=2&policyNumber=214
Specifically, sensitive information is information that is subject to privacy considerations or has been classified as confidential and subject to protection from public access or inappropriate disclosure. Examples of Sensitive Information include but are not limited to:
- Student records, including anything protected by the Family Educational Rights and Privacy Act (FERPA)
- Health information, including anything covered by the Health Insurance Portability and Accountability Act (HIPAA)
- Personal financial information such as credit card numbers, bank account information, debit card numbers, etc.
- Job applicant records (names, transcripts, etc.)
- Social Security Numbers
- Dates of birth
- Private home addresses and phone numbers
- Driver license numbers and State ID Card numbers
- Access codes, passwords and PINs for online information systems
- Answers to "security questions" such as "what is the name of your favorite pet?"
- Confidential information subject to attorney-client privilege
- Detailed information about security systems (physical and/or network)
- Confidential salary information
- Information made confidential by a collective bargaining agreement
Social Security Numbers are especially sensitive because of their use to commit identity theft. A Social Security Number (SSN) may not be used as an identifier in any new UH information system, and its use as an identifier shall be phased out in all existing systems. The SSN may be included as a data element in an information system only where it is required for financial processing (e.g., payroll or student tax reporting) or other uses consistent with State and Federal law and its inclusion shall be phased out in all other systems.
Any UH employee or UH affiliated individual that accesses UH sensitive information must sign the UH General Confidentiality Notice
If you retain Social Security Numbers for official UH business, it must be reported in the State of Hawaii Annual Personal Information Survey as required by Hawaii Revised Statute (HRS) 487N. UH has implemented an online system for reporting of any repositories or collections (paper and electronic) of Social Security Numbers. To report a repository of SSNs, go to: http://www.hawaii.edu/its/information/survey/ (You will be required to login with your UH username and password.)
Any repository of Social Security Numbers must be approved by the Chancellor (or their designee) of the campus.
Any electronic repository of sensitive information must be secured in compliance with E2.214. The information must be:
- encrypted (PC guidelines, Mac guidelines)*
- stored on a computer that complies with basic computer security standards
- de-coupled/de-identified whenever possible
[*see E2.214 for more information if data CANNOT be encrypted]
Personal Information Protection Program: Server Registration, Identity Finder Software:
Server Registration: To assist with the protection of personal/sensitive information, all servers (any file server, web server, email server, or FTP server, etc.) operating on the UH network must be registered with Information Technology Services (ITS). System Administrators will need to scan their servers for SSNs, credit card numbers, and for vulnerabilities. They must report their findings annually in the Server Registration database which can be found here: https://www.hawaii.edu/its/server/registration/. To learn more about the server registration process, visit http://hawaii.edu/askus/1312.
A list of Frequently Asked Questions on server registration requirements can be found at: http://www.hawaii.edu/askus/1305
Identity Finder (IDF) Software: To facilitate the finding of sensitive information like Social Security Numbers, and credit card numbers, ITS has licensed Identity Finder. Information about using Identity Finder at UH can be found at: http://www.hawaii.edu/askus/1297.Note: Identity Finder is available for Windows and Mac operating systems. If you have a UNIX/Linux system, you will need to use another utility: Find_SSN: http://www.hawaii.edu/askus/1323. Another option is to mount the UNIX/Linux filesystem on a Window or Mac system. From there you can run Identity Finder, and have it scan the mounted filesystem.
OpenVAS: This is an open-source vulnerability scanning tool that will return a fairly detailed, technical report. To scan your computer for vulnerabilities, please use the OpenVAS web interface: http://openvas.hawaii.edu/cgi-bin/myopenvas
The OpenVAS interface will only scan the computer that you are currently using. If you are responsible for multiple computers, please go here for more information.