Faculty, Staff Can Help Protect SSNs and OSU Data

by Charles Morrow-Jones, Director of Cybersecurity, Office of the CIO

Posted: October 10, 2006

One in a Series of Articles for National Cyber Security Awareness Month

With October comes the annual observance of Cyber Security Awareness Month - a time when we should all focus more closely on protecting our computers and the information that they store. This year, the Office of the Chief Information Officer is highlighting the need to protect data, in particular, data that can be useful to identity thieves.

One of the most useful pieces of personal data that an identity thief can acquire is the Social Security number. In conjunction with the names of the individuals that they identify, SSNs are gold among the criminal community. Through ‘underground’ web sites, identities are bought and sold by the thousands. Any source of large numbers of identities thus becomes very attractive to the criminal element of the hacker community.

Historically, Ohio State has long used the SSN as an identifier for its students (as well as faculty and staff). Indeed, the university’s data environment is rife with student SSNs stored in various formats. They are printed on rosters, displayed online, and stored in numerous separate databases and electronic files. This prolific use of SSNs campuswide in both paper and electronic formats has raised the risk of Social Security number theft and hence, identity theft.

Shifting technologies add to the risk. Many faculty and staff retain electronic copies of rosters on their personal computers. As more users migrate from desktop to laptop computers, they often copy this information to the new computer without reviewing whether it still serves a useful purpose. Given that laptops are stolen at a much higher rate than desktop computers, the risk of losing sensitive information has increased accordingly. The problem is exacerbated by the availability of alternative storage devices, such as USB (or ‘thumb’) drives that hold large amounts of data but are extremely easy to steal or lose.

SSNs stored on paper are no more inherently secure than those stored electronically. Both departments and individual faculty and staff often retain paper copies of rosters, grade change forms, and other student-related materials, as well as administrative forms for faculty and staff, that often contain Social Security numbers.

The long-term solution for Ohio State lies in eliminating the SSN as the primary identifier throughout the campus. The university has already created a new employee ID for faculty and staff and is now working toward eliminating the SSN as the student identifier through projects such as the Student Information System (SIS) and BuckeyeSecure. The university launched these two initiatives to unify the campus various identity management systems and integrate information systems as much as possible. However, these projects are going to take time to implement across the current university infrastructure.

In the meantime, to address the SSN problem in all its dimensions, the Security group in the Office of the Chief Information Officer is teaming with the BuckeyeSecure Project to raise awareness among faculty and staff of their roles in protecting Social Security numbers and the steps they can take to reduce the risk of SSN (and identity) theft.

Following are some ways that you can reduce the exposure of Social Security numbers in the university community.

SSNs stored on paper:

• Store documents in locked filing cabinets.


• Limit the display of sensitive information; do not leave papers containing SSNs on your desk.


• Shred documents with personal information, preferably with cross-shredding blades. Follow your unit's records retention and disposition schedule.


• Mark your calendar now for Ohio State's BuckeyeSecure ShredFest, scheduled for the week of December 4. This event presents a great opportunity to clear out your office files, even CDs and DVDs, in bulk and in a secure manner.

• Review stored data that contain SSNs to determine whether you need to retain them. If you are not sure which files on your computer contain SSNs, you can use software tools to identify them. For assistance, contact your local computer support staff or send us e-mail at security@osu.edu.


• Encrypt and/or password protect electronic data. Encryption transforms data into unreadable form that can only be deciphered by those who have the ‘key’. Current Windows and Macintosh operating systems include features for encrypting sensitive data. Again, contact your local computer support staff for assistance.


• Avoid e-mailing unencrypted sensitive information. Before you use electronic communication, be sure the connection and transfer of information is secure.


• Prevent access to your computer by using password protected screen savers.

The first steps in preventing identity theft occur when we think about where we use SSNs and how we can transition away from them. Through the CIO Security group and the BuckeyeSecure program, the Office of the CIO stands ready to help.