fsu.edu | Primary Identifier

OP-H-12 PRIMARY IDENTIFIER POLICY

SPECIFIC AUTHORITY
Section 282.318, Florida Statutes - Security of Data and Information Technology Resources.
Section 119.072, Florida Statutes - SSN Exemption from Public Disclosure.

OBJECTIVE
The purpose of the University Primary Identifier Policy is to provide for the safeguarding and elimination of the use of social security number (SSN) as a primary identifier on campus. The collection, authentication, and use of Social Security Numbers (SSNs) by entities of the Florida State University will be limited to those required by law and FSU official business necessity. The storage of personal identifier data on FSU automated systems must meet strict compliance criteria and will be subject to scheduled and random audits. It is the intent of Florida State University to take the necessary precautions to protect the identity of all of its stakeholders while providing an effective and efficient means of gaining authorized access to computers and networks.

OVERVIEW OF IDENTITY MANAGEMENT @ FSU.EDU
The pervasive use of SSN data has created a scenario where personal identity theft has become a national problem. The Congress of the United States has stated its legislative intent that Social Security account numbers not be used for routine identification purposes. The Florida legislature has provided more focused guidance on the transition away from the use of SSNs as primary identifiers.

In response to the emerging task of safeguarding or eliminating the use of SSN as a primary identifier on campus, FSU has developed and deployed an Enterprise Metadirectory (eDir) solution. The eDir is designed to facilitate secure access (authentication and authorization) to FSU systems and services through the use of FSU Unique Identifiers (FSUIDs - Public Username) and FSU Security Numbers (FSUSNs - Private Identifier). The eDir generates FSUSN (nine-digit alphanumeric codes) to identify individual network users. These nine-digit numbers are to be used instead of SSNs for routine university business.

As an additional security measure, the collection and storage of SSNs and any databases that cross-link FSUSN and SSN numbers are restricted to FSU automated systems that serve the Enterprise Resource Planning system (OMNI) or the university financial aid system and meet multi-layered security protocols. Individuals with a bona fide need for SSN data must apply for an exemption (Section G). All other pre-existing databases that contain personal identification data of students, faculty, alumni, staff, or research extracts (including cross-linked data of SSNs and names) must be deleted and over-written in a non-recoverable method, unless an exemption is granted to retain the information.

A. SCOPE
This policy applies to all University entities, affiliates, and personnel, who administer, manage, maintain, or use University information technology resources, including their supervisors, and their unit/department administrators. It applies to all locations of those resources, whether on campus or from remote locations.

B. CERTIFICATION OF NETWORKS AND COMPUTERS
All Campus Unit Technology/Information Security Managers must certify to their respective Dean, Directors, and Department Heads annually that the servers and computers under their control contain no databases, files, or data extracts that include SSNs unless they have received a written exception to do so from the Office of Audit Services. IT/ISMs, working with Confidential Records Coordinators, will be expected to poll users within their units on a recurring basis, at least biannually in January and June, to ensure that servers, stand-alone computers, and laptop computers are certified to be free of SSN data.

C. CERTIFICATION OF DATA REQUESTS
The Office of Technology Integration is asked to generate reports for use by other departments and Department Security Coordinators (DSC). In some instances, these requests include sufficient identity information, including SSN, DOB and address, which could be used in identity theft. As an additional protective measure to help reduce inadvertent exposure and unnecessary risk, all requests for reports that contain this type of information must be reviewed and approved by the respective VP, Dean, Department Head or Director before these reports are generated or provided to the requesting entity.

D. PHYSICAL SECURITY MEASURES
SSNs should not be stored on FSU owned or personal computing devices unless the circumstances are mission-critical to the University. The transfer of confidential financial or personal identifying data to removable media such as jump drives, CD-R, or DVD-R media is discouraged; however, if such a transfer occurs, the removable media becomes subject to the same security protocols as the original data source. More specifically, the custodian of the removable media that contains sensitive data will be expected to provide adequate physical security, register the media with their Confidential Records Coordinator and be able to account for the removable media until it is erased or destroyed under controlled circumstances.

E. DECOMMISSIONING COMPUTERS AND SERVERS
Computers and servers that contain sensitive or confidential information must receive special attention when they reach the end of their service life and are decommissioned. Before assigning any computers that contain sensitive information to salvage or recycling, the IT/ISM shall ensure the hard disk drive is physically destroyed if feasible, or alternatively, the hard drive should be electronically erased under controlled circumstances by methods that render any data on the drive irretrievable by any means.

F. REPORTING COMPROMISED PERSONAL DATA
Inadvertent release or compromise of sensitive data, including the loss or compromise of portable computing devices or removable media containing sensitive data, or the discovery of unauthorized access to sensitive data on a computer or data storage device, must be reported immediately to the respective VP, Dean, Department Head, Director, and campus police. Upon discovery of the unauthorized computer access, campus units must report the incident to abuse@fsu.edu as soon as possible after discovery. If the campus unit does not have existing internal capability to conduct computer analysis and related forensics, members of the University Computing Security Incident Response Team (CSIRT) will begin (in direct collaboration and coordination with the campus unit Department head and IT lead) an investigation as to the cause of the incident, and recommend to the appropriate Vice President, Dean, Department Head, or Director the appropriate corrective action to be immediately taken to terminate unauthorized access and prevent a recurrence of the loss of data integrity.

G. SYSTEM DESIGN AND PROCUREMENT RESTRICTIONS
Systems that contain SSN data for purposes required by law or for FSU business necessity shall be designed and deployed in a manner to preclude the display of SSNs on monitors or screens except in areas that have been physically secured. The ability to print SSN data should be restricted to password protected and physically secured printers. Where feasible, programs that use databases with SSN data should cross-link to FSUSN tables and display or print the FSUSNs instead of SSNs. Hardware or software packages that cannot comply with this policy shall not be procured or developed by FSU, nor will they be allowed to connect to FSU networks, unless they have been approved for an exemption.

H. EXEMPTION REQUESTS
Individuals with a bona fide need for data that contains personal identification information must request by memorandum for an exemption from their Vice President, Dean, Chair, or Director, with a copy to the Chief Auditor, Office of Audit Services. The exemption request must state the intended use of the database, file or extract, and describe in detail the physical and software security protocols that will protect the data from compromise. Both the data and the security protocols that protect the hardware and software that hold them will be subject to audit by the Office of Audit Services and the Office of Technology Integration.

I. IMPLEMENTATION
Given the present pervasive use of SSN on campus today, it will take time for campus units to come into compliance. Therefore, an implementation target of January 1, 2009 is established for campus units to come into compliance.

J. REVIEW AND UPDATE
This policy shall be reviewed and updated by the SSN Policy Committee on an annual basis, or as special events or circumstances dictate.

K. RELATED FEDERAL, STATE AND UNIVERSITY REFERENCES
University faculty, staff, students, and employees are bound by all applicable laws, rules, policies, and procedures. This policy is not intended to limit the applicability of any law or policy and does not preclude University units and related affiliate organizations from implementing additional supplemental, or more stringent safeguards.

Federal references:
Family Educational Rights and Privacy Act (FERPA)
Health Insurance Portability and Accountability Act (HIPAA)
The Americans with Disabilities Act (ADA)
Privacy Act of 1974, as amended

State and Local Government references:
Section 282.318, Florida Statutes - Security of Data and Information Technology Resources
Section 119.072, Florida Statutes - SSN Exemption from Public Disclosure

University Policy references:
Policy OP-F-7 - Safeguarding of Confidential and Personal Information
Policy OP-F-6 - Destruction/Shredding of Confidential Documents and Records
Policy OP-H-9 - Information Technology Security


	Business Operations Facilities/Space Faculty & Staff Financial General University Records/Information Safety/Insurance Technology			OP-H-12 PRIMARY IDENTIFIER POLICY SPECIFIC AUTHORITY Section 282.318, Florida Statutes - Security of Data and Information Technology Resources. Section 119.072, Florida Statutes - SSN Exemption from Public Disclosure. OBJECTIVE The purpose of the University Primary Identifier Policy is to provide for the safeguarding and elimination of the use of social security number (SSN) as a primary identifier on campus. The collection, authentication, and use of Social Security Numbers (SSNs) by entities of the Florida State University will be limited to those required by law and FSU official business necessity. The storage of personal identifier data on FSU automated systems must meet strict compliance criteria and will be subject to scheduled and random audits. It is the intent of Florida State University to take the necessary precautions to protect the identity of all of its stakeholders while providing an effective and efficient means of gaining authorized access to computers and networks. OVERVIEW OF IDENTITY MANAGEMENT @ FSU.EDU The pervasive use of SSN data has created a scenario where personal identity theft has become a national problem. The Congress of the United States has stated its legislative intent that Social Security account numbers not be used for routine identification purposes. The Florida legislature has provided more focused guidance on the transition away from the use of SSNs as primary identifiers. In response to the emerging task of safeguarding or eliminating the use of SSN as a primary identifier on campus, FSU has developed and deployed an Enterprise Metadirectory (eDir) solution. The eDir is designed to facilitate secure access (authentication and authorization) to FSU systems and services through the use of FSU Unique Identifiers (FSUIDs - Public Username) and FSU Security Numbers (FSUSNs - Private Identifier). The eDir generates FSUSN (nine-digit alphanumeric codes) to identify individual network users. These nine-digit numbers are to be used instead of SSNs for routine university business. As an additional security measure, the collection and storage of SSNs and any databases that cross-link FSUSN and SSN numbers are restricted to FSU automated systems that serve the Enterprise Resource Planning system (OMNI) or the university financial aid system and meet multi-layered security protocols. Individuals with a bona fide need for SSN data must apply for an exemption (Section G). All other pre-existing databases that contain personal identification data of students, faculty, alumni, staff, or research extracts (including cross-linked data of SSNs and names) must be deleted and over-written in a non-recoverable method, unless an exemption is granted to retain the information. A. SCOPE This policy applies to all University entities, affiliates, and personnel, who administer, manage, maintain, or use University information technology resources, including their supervisors, and their unit/department administrators. It applies to all locations of those resources, whether on campus or from remote locations. B. CERTIFICATION OF NETWORKS AND COMPUTERS All Campus Unit Technology/Information Security Managers must certify to their respective Dean, Directors, and Department Heads annually that the servers and computers under their control contain no databases, files, or data extracts that include SSNs unless they have received a written exception to do so from the Office of Audit Services. IT/ISMs, working with Confidential Records Coordinators, will be expected to poll users within their units on a recurring basis, at least biannually in January and June, to ensure that servers, stand-alone computers, and laptop computers are certified to be free of SSN data. C. CERTIFICATION OF DATA REQUESTS The Office of Technology Integration is asked to generate reports for use by other departments and Department Security Coordinators (DSC). In some instances, these requests include sufficient identity information, including SSN, DOB and address, which could be used in identity theft. As an additional protective measure to help reduce inadvertent exposure and unnecessary risk, all requests for reports that contain this type of information must be reviewed and approved by the respective VP, Dean, Department Head or Director before these reports are generated or provided to the requesting entity. D. PHYSICAL SECURITY MEASURES SSNs should not be stored on FSU owned or personal computing devices unless the circumstances are mission-critical to the University. The transfer of confidential financial or personal identifying data to removable media such as jump drives, CD-R, or DVD-R media is discouraged; however, if such a transfer occurs, the removable media becomes subject to the same security protocols as the original data source. More specifically, the custodian of the removable media that contains sensitive data will be expected to provide adequate physical security, register the media with their Confidential Records Coordinator and be able to account for the removable media until it is erased or destroyed under controlled circumstances. E. DECOMMISSIONING COMPUTERS AND SERVERS Computers and servers that contain sensitive or confidential information must receive special attention when they reach the end of their service life and are decommissioned. Before assigning any computers that contain sensitive information to salvage or recycling, the IT/ISM shall ensure the hard disk drive is physically destroyed if feasible, or alternatively, the hard drive should be electronically erased under controlled circumstances by methods that render any data on the drive irretrievable by any means. F. REPORTING COMPROMISED PERSONAL DATA Inadvertent release or compromise of sensitive data, including the loss or compromise of portable computing devices or removable media containing sensitive data, or the discovery of unauthorized access to sensitive data on a computer or data storage device, must be reported immediately to the respective VP, Dean, Department Head, Director, and campus police. Upon discovery of the unauthorized computer access, campus units must report the incident to abuse@fsu.edu as soon as possible after discovery. If the campus unit does not have existing internal capability to conduct computer analysis and related forensics, members of the University Computing Security Incident Response Team (CSIRT) will begin (in direct collaboration and coordination with the campus unit Department head and IT lead) an investigation as to the cause of the incident, and recommend to the appropriate Vice President, Dean, Department Head, or Director the appropriate corrective action to be immediately taken to terminate unauthorized access and prevent a recurrence of the loss of data integrity. G. SYSTEM DESIGN AND PROCUREMENT RESTRICTIONS Systems that contain SSN data for purposes required by law or for FSU business necessity shall be designed and deployed in a manner to preclude the display of SSNs on monitors or screens except in areas that have been physically secured. The ability to print SSN data should be restricted to password protected and physically secured printers. Where feasible, programs that use databases with SSN data should cross-link to FSUSN tables and display or print the FSUSNs instead of SSNs. Hardware or software packages that cannot comply with this policy shall not be procured or developed by FSU, nor will they be allowed to connect to FSU networks, unless they have been approved for an exemption. H. EXEMPTION REQUESTS Individuals with a bona fide need for data that contains personal identification information must request by memorandum for an exemption from their Vice President, Dean, Chair, or Director, with a copy to the Chief Auditor, Office of Audit Services. The exemption request must state the intended use of the database, file or extract, and describe in detail the physical and software security protocols that will protect the data from compromise. Both the data and the security protocols that protect the hardware and software that hold them will be subject to audit by the Office of Audit Services and the Office of Technology Integration. I. IMPLEMENTATION Given the present pervasive use of SSN on campus today, it will take time for campus units to come into compliance. Therefore, an implementation target of January 1, 2009 is established for campus units to come into compliance. J. REVIEW AND UPDATE This policy shall be reviewed and updated by the SSN Policy Committee on an annual basis, or as special events or circumstances dictate. K. RELATED FEDERAL, STATE AND UNIVERSITY REFERENCES University faculty, staff, students, and employees are bound by all applicable laws, rules, policies, and procedures. This policy is not intended to limit the applicability of any law or policy and does not preclude University units and related affiliate organizations from implementing additional supplemental, or more stringent safeguards. Federal references: Family Educational Rights and Privacy Act (FERPA) Health Insurance Portability and Accountability Act (HIPAA) The Americans with Disabilities Act (ADA) Privacy Act of 1974, as amended State and Local Government references: Section 282.318, Florida Statutes - Security of Data and Information Technology Resources Section 119.072, Florida Statutes - SSN Exemption from Public Disclosure University Policy references: Policy OP-F-7 - Safeguarding of Confidential and Personal Information Policy OP-F-6 - Destruction/Shredding of Confidential Documents and Records Policy OP-H-9 - Information Technology Security