Faculty and staff members in campus units that need to archive sensitive data such as Social Security numbers, credit-card numbers and grades will have the opportunity to undergo a training program later this year. The campus Security Office is creating a Working with Sensitive Data program that will be offered in the late summer or early fall. The 90-minute sessions will instruct faculty and staff members who are authorized to handle sensitive data on how to safely maintain the information.
Last fall, the Security Office, in conjunction with the Office of the Chancellor and the Office of the Provost, launched a campuswide initiative to identify computer files containing Social Security numbers and credit-card numbers using a software package called Firefly. The program scans workstations that run on Microsoft Windows operating systems and provides a list of files that may contain sensitive data.
Faculty and staff members were required to perform the scans by Jan. 14, and units were required to complete internal reviews and report on their compliance efforts by March 14. Units are now required to create and maintain lists of individuals who are authorized to access and work with SSNs and lists of electronic systems that store SSNs along with plans for eliminating SSNs from their systems or obtain permission to retain the data. The security group recently provided a preliminary report to the Chancellor’s and Provost’s offices, and together they will review each unit’s compliance plans and requests for retaining SSNs.
According to the security group’s report, faculty and staff members ran 16,840 scans with Firefly, which scanned 88 million files on employee workstations and indicated that more than 1.9 million files potentially contained sensitive information.
Since the initiative was launched, “We’ve had a lot of people contact us asking how to maintain the data securely,” said Mike Corn, director of security services and information privacy in the Office of the Chief Information Officer. “As the next step, they will need to think about how they’re working with sensitive data and whether they’re storing it properly.”
The vast majority of the 1.9 million files that Firefly’s reports indicated potentially contained sensitive data could be false positives, Corn said. But if users have any doubt, they should review their Firefly reports and verify that the files don’t contain SSNs. Computer users can scan their workstations again at any time, and units will be required to scan their computers and report their compliance annually.
Under the Personal Information Privacy Act (www.cio.uiuc.edu/pipa/), which took effect in Illinois on Jan. 1, 2006, the UI and other state universities and organizations are required to notify affected individuals whenever a data breach occurs. The estimated cost to the UI if a data breach occurred is $75 per SSN.
“Trust in the security of our data is increasingly important to our students, staff and faculty, and to the well being of the institution,” said Provost Linda Katehi. “We are grateful for the creative and ongoing efforts of the security initiative to protect our community.”
Corn said that the security group has been contacted by several universities that are interested in using the Firefly software. The security group plans to continue to enhance Firefly and is looking at adding features specifically for the information technology community and for identifying other sensitive data such as grades and students’ personal information.
This summer, the security group will release a program for registering laptop computers to assist in recovering stolen equipment. As part of the SSN remediation program, laptops containing sensitive data must be identified and protected. The group is researching software for encrypting data on laptops and mobile devices such as Blackberries and cell phones.
