Add to collection(s) Add to saved
  1. Business
  2. Management
  3. Business Information Systems

ISSP-014 - University of South Florida

advertisement 
Information Security Standards and Procedures
Request for Storage of Social Security Numbers
Last Modified: 10/19/2010
(ISSP-014)
Introduction
The threat of identity theft has been growing at an unprecedented rate and the University of South Florida System (USF
System) commits to provide enhanced security for its students, staff, faculty and patients. Accordingly, the USF System will
no longer use nor permit the use of a Social Security Number (SSN) as an identifier for a person in any USF System
information system unless the use of a SSN is imperative for the performance of the USF System’s duties and
responsibilities as prescribed by law.
The goal of this procedure is to help maintain the number of units storing Social Security Numbers to the minimum needed
to achieve the University mission and maintain compliance with state and federal regulation. All available alternatives to
the storage of SSNs must be thoroughly examined prior to approving the storage of SSNs.
Procedure
Please make sure to follow the procedure prior to any commitments in terms of storage of Social Security Numbers.
According to USF System Policy 0-516, SSN Appropriate Use Policy, “the only USF System units that will be allowed to
collect, electronically transmit, store or use the SSN are offices authorized by the ITMC and in accordance with standards
mandated by the Office of Information Security.”
1.
Fill out sections I, II, III of the attached form
2.
Submit the completed form to the Office of Information Security for initial review, c/o Kay Svendgard, kricca@usf.edu
3.
After the form is finalized, it will be returned to you for VP signature (section IV).
4.
A meeting will be scheduled with the Information Security Workgroup (ISW) for evaluation of the request for analysis
and you will be asked to attend. Based on the outcome of this meeting, the ISW will authorize the analysis phase by the
Office of Information Security, with input from University Audit and Compliance.
5.
Members of the Office of Information Security (OIS) will meet with technical and functional personnel involved with
the request for a thorough technical evaluation. Adjustments to the security posture of the hardware and software
used to store the SSNs will be recommended by OIS, if appropriate.
6.
The final status will be reported back to the ISW, and a recommendation will be made to the IT Management Council.
7.
The ITMC will make the final approval for storage of SSNs.
ISSP-014 - Request for Storage of SSN
Page 1 of 4
Information Security Standards and Procedures
Last Modified: 10/19/2010
Section I: Requestor Information
Requestor:
Requestor Title:
Requesting Dept:
ITMC Sponsor/VP:
Date of Submittal:
Phone Number:
Section II: Information Security Workgroup Process (to be completed by Requestor)
Justification for
use/intake/storage of SSN:
Please provide a detailed
explanation why it is necessary for
your office to retain use/intake/store
SSN or reason for request for
extension of deadline to comply
How are SSNs obtained:
(paper form, extract from another
system, external agency, etc.)
How many SSNs are stored
in the system?
(Include separate counts for
production, development, and test
environments if appropriate)
Describe Storage System:
(include hardware, software
application, database, versions,
tables and fields where the data will
be stored, if applicable)
Describe Mitigating
Controls:
(include all controls in place to
mitigate the risk of exposure)
To what other system or
area within USF or externally
is this data provided:
ISSP-014 - Request for Storage of SSN
Page 2 of 4
Information Security Standards and Procedures
Last Modified: 10/19/2010
Who will have access to this
information?
(include person name or roles and
role description with permission to
access SSN information)
Section III: System Security Responsibility (to be completed by Requestor)
Person(s) Responsible for
the Security of this
System:
(Please print legal name and
include contact information)
Signature:
Title:
Date:
Section IV: Area VP Request Approval (to be completed by area VP)
VP Name
(Please print legal name and
include contact information)
Signature:
Title:
Date:
Section V: System Security Review (to be completed by a member of the Office of Information Security or delegate)
Recommendation of
Information Technology,
Office of Information
Security:
Signature:
Title:
ISSP-014 - Request for Storage of SSN
Date:
Page 3 of 4
Information Security Standards and Procedures
Last Modified: 10/19/2010
Section VI: Action of Information Security Workgroup
Preliminary approval for use – proceed to next section
Not approved
Section VII: Final Review by IT Management Council
Action by ITMC:
Final Approval
Approval with limitations
Disapproval
ISSP-014 - Request for Storage of SSN
Page 4 of 4
Related documents
Multi-layered Security Strategies
Multi-layered Security Strategies
Sample SSN Disclosure Language for Research Study.DOC
Sample SSN Disclosure Language for Research Study.DOC
Dental History - Shirck Orthodontics
Dental History - Shirck Orthodontics
Operational Services
Operational Services
Non ISU Employee Data Base Input Form - ISU Card
Non ISU Employee Data Base Input Form - ISU Card
Credit release
Credit release
Facility Safety Director/Manager Assurance
Facility Safety Director/Manager Assurance
EH&S Training Request Form
EH&S Training Request Form
Authorization to Close Account
Authorization to Close Account
Social Security Administration Information
Social Security Administration Information
Operational Services
Operational Services
Download
advertisement