Cleanup of SSNs from CS Computers

This document addresses cleanup of Social Security Numbers at CSU.

For detailed information from the University level, go to: http://csuid.colostate.edu/

All staff and faculty were informed of the issue by Professor Whitley in an email sent out on August 18th, 2006. If you would like to look at the form to be signed by 30 September or would like to see Tony Frank's letter regarding this issue, go to: http://csuid.colostate.edu/?page=forms

The University stresses that focus should be placed on "lists of SSNs". They are not too worried about the occasional email containing one SSN. However, it is best if all individuals delete all known SSNs from the file system

Faculty and instructors might think they do not have any SSN lists. But have you ever received a class rolls file from SNA? If yes, then SNA emailed it to you. Did you delete it from your email folders? Did you save it to your class directory?

An important point is each employee has responsibility over his/her files and computer. For instance, if you have a department laptop checked out for a class, you are responsible for making sure it contains no SSN lists. If your files are kept on the UNIX servers, you are responsible for those files falling under your control (e.g. files kept in a class directory).

SNA has a scanning tool for hunting down lists of SSNs. Paul Hansen is in charge of scanning machines running Windows. If you would like a machine or laptop scanned, please contact him at hansenp@cs.colostate.edu. He can do this remotely as long as the machine is on the CS network. After scanning the machine he will send the owner a file containing a listing of positive hits. Along with the file will be hints on how to interpret the log file.

We are still trying to develop a mechanism for scanning the Unix systems that does not generate an unmanageable number of false positives. When we have this working Wayne will send each CS employee a list of your suspect files on the Unix servers.

Once you have the list, you have several options.

  • 1) Edit the SSN(s) from the file.
  • 2) Delete the file
  • 3) Archive the file

  • If you decide to archive, your choice of media must be something that is not permanently on the network. For instance, you can use an external harddrive, but it must not remain connected to a networked computer. It can be hooked up to a networked computer for short periods of time in order for you to access data.
  • You can archive to Flash Memory sticks, but the sticks must then be labeled and locked in a desk or filing cabinet.
  • You can burn the data to a cdrom or dvd. If you do not have a cd burner, you can map your drive to one of the department machines which have cd/dvd writing drives. The following machines are equipped with cd/dvd burning drives:

    1. Windows: cimarosa, sarasate (3rd floor, South)

    2. Linux: armstrong, basie (3rd floor, South)

    Please understand systems administration will try to aid you in this huge cleaning of the system; however, systems administration is not responsible for cleaning up the file system. We, too, have to sign the form on by September 30th; like everyone else, we will sign it with regard to our personal machines and directories.