.
Uranium Sulfur Oxygen Department of Chemistry The Ohio State University Department of Chemistry Department of Chemistry The Ohio State University I go round and round Department of Chemistry The Ohio State University return to the chemistry home page return to the chemistry home page return to the main graduate page return to the chemistry home page return to the main internal resources page return to the chemistry home page return to internal resources page return to the computer support page return to the chemistry home page return to the main undergraduate page

     
Graduate Program
Undergraduate Program
Scholarships
Faculty Research
Career Resources
Facilities & Services
Personnel Directory
Seminars & Events
Outreach
Internal Resources
Alumni
Contribute
Positions Available

blank Internal SSN Policies

 



Internal SSN Policies

I.    Background and Purpose

We are all aware that the university has recognized the increased concern for individual privacy and prevention of identity theft. This has been addressed through University policy and House Bill 104 . Given these concerns the department is enacting the following internal policy. While the greatest proliferation of this information is involuntary, all department personnel are still obligated to ensure the confidentiality of Social Security Numbers.

II.    Scope and Applicability

This policy applies to all departmental personnel. This policy is in addition to University policy and the existing federal and state mandates. While this is not a substitute for existing state and federal laws, it is a first step towards compliance.

III.    Statement of Policy

  1. No departmental personnel shall store Social Security Numbers, coupled with the first and last name, or other personally identifiable information, whether encrypted or not, on non-departmental equipment. This includes any laptops, desktop computers, flash drives, CD/DVD’s, or tape backups.

  2. All SSN’s coupled with the first and last name of a person that must be stored electronically to conduct normal university business must be encrypted. Eliminating one element of the pair is sufficient to avoid HB104. Removal of SSN's from an Excel spreadsheet for example is a viable way to avoid HB104's notification requirements; and is as acceptable as encryption. Examples of department offices that need to store personally identifiable information are Undergrad Studies, Grad Studies and the Personnel Office.

  3. In the current registrar’s system it is unavoidable to temporarily store SSN’s in an unencrypted form. Therefore access to the registrar’s web site must be confined to departmental owned desktop computers. All files, including the web browser cache, must be immediately cleared by the procedure recommended by Computer Support (see appendix).

  4. Transmission of sensitive information, especially names coupled with SSN’s, via e-mail is prohibited. In the event that you receive such information via e-mail, the sender should be notified that this is an unsafe practice, and should be asked to stop sending this information by e-mail. The e-mail then should be immediately discarded.

  5. Non-compliance with this policy may lead to disciplinary action. For faculty, the cost of remediation and/or notification may be passed on to your university chart field(s).

Last Modified on May 31, 2007

 



SSN Cleanup and Security Proceedures

Contents of this FAQ:

 



How To Clean Up Current Issues on Windows
go to top

Identifying Files with Personal Data

There is a program, Spider, that was written by Cornell University that scans Windows hard drives looking for files that look as though they may contain personal data, such as Social Security and credit card numbers.

Spider can be downloaded at the following address:

http://www.cit.cornell.edu/computer/security/tools/spider-windows.html

Before running Spider, clear your web browser’s cache.  Instructions on how to do this on many common web browsers will be posted on our website soon.  Clearing the cache before running Spider usually eliminates many of the files that will be flagged by Spider, and should be done in any case because of the data given by certain University websites.

After launching Spider, click on the Run Spider button.  Spider needs to read each file on your system, which can take a significant amount of time.  As Spider runs, it writes a log of suspect files to C:\SPIDER.txt.

Once Spider has finished running, you can look at the log file to identify files that actually contain sensitive data.

Eliminating Personal Data from your Computer

·         Deletion

o        If you don’t need the file, simply delete it.

·         Removal of Personal Data

o        If you need the file, but don’t need the data covered by our policies, remove the data from the file, and be sure to remove any old copies of the file that you have.

·         Redaction of Personal Data

o        If you need the file, and some personally identifiable information, you can remove at least the first four digits of the Social Security number.  Redacting this data provides coverage under House Bill 104.

·         Encryption of Personal Data

o        Computer Support is currently examining a few different encryption schemes.  Please check with us if you feel you have personal data that you need to keep, and we’ll try to come up with an acceptable solution.

Securely Deleting Files

Even after a file has been deleted, it is potentially simple for someone to recover those deleted files.  Computer Support has found a tool that can be used to securely erase files and prevent their recovery.  Going forward, it’s possible to securely delete individual files, but we need to care of old files that were insecurely deleted in the past.

The tool to use for this task is called Eraser.  It can be downloaded from the following address:

http://sourceforge.net/projects/eraser/

Before running Eraser, empty your Recycle Bin.

The following are instructions to securely remove the previously deleted files using Eraser:

·         After launching Eraser, go to “File->New Task…”

·         In the “Task Properties” window that opens, select “Local Hard Drives” under “Unused space on drive”

·         Click the “OK” button

·         Go to “Edit->Preferences->Erasing…”

·         In The “Preferences: Erasing” window that opens, select the “Unused Disk Space” tab

·         Select option #3, US DoD 5220.22-M (8-306. / E), under “Erase with”

·         Click OK

·         Back in the main window, now, select “Task->Run…”

·         A dialog box will come up asking you to confirm.  Click the “Yes” button

 



How To Clean Up Current Issues on Macintosh
go to top

Click here for more detailed Macintosh instructions.

Identifying Files with Personal Data

There is a program, Spider, that was written by Cornell University that scans Mac hard drives looking for files that look as though they may contain personal data, such as Social Security and credit card numbers.

http://www.cit.cornell.edu/computer/security/tools


It is recommended that you clear your browser cache before running spider, see below for procedures

Actually, the best way to scan Mac OSX computers with Cornell’s Spider would be to use the Spider for Linux version, and run it on a Linux machine, mounting Macs via NFS or Samba. It’s an older, more stable version of the forensic tool.

1. Launch the Spider application.

2. Click Run Spider. *It may take some time to complete its scan; be patient

3. After scan has completed, double click the log file to open it

4. Check the results. Remember, you will get false positives

Remember to securely delete the spider.log file when finished (see next section)

5. Exit the Spider application.


Eliminating Personal Data from your Computer

  • Deletion

    • If you don’t need the file, simply delete it.

  • Removal of Personal Data

    • If you need the file, but don’t need the data covered by our policies, remove the data from the file, and be sure to remove any old copies of the file that you have.

  • Redaction of Personal Data

    • If you need the file, and some personally identifiable information, you can remove at least the first four digits of the Social Security number. Redacting this data provides coverage under House Bill 104.

  • Encryption of Personal Data

    • See procedure listed below

SECURELY DELETE FILES WITH “SECURE EMPTY TRASH”

Securely delete files with sensitive info from computer; simply using the empty trash command does not delete the file sufficiently to comply with HB104*

1. Move file(s)/folder(s) to be securely deleted to the Trash.

2. From Finder menu, choose Finder -> Secure Empty Trash

3. For the Unix-inclined: Secure Empty Trash can be executed at the command line (in Terminal), by using the command srm with appropriate options and path-to-file. There are three levels of file-overwriting possible, depending on the options you choose: single-pass (overwrite the file with zeros) with the –s option, DOD 5220-22-M standard-compliant 7-pass overwriting with the –m option (the default for using Secure Empty Trash from the graphical user interface), or 35-pass overwriting (Gutmann algorithm) without the –s or –m option.

*Note: If you are not running a recent version of OSX (10.3.x or 10.4.x) on your Mac, you will not have the “Secure Empty Trash” tool available to you. Recommendation: upgrade to current version of OSX if possible. Otherwise, you may need to purchase/use a third-party utility such as Shredit (http://www.mireth.com/shredit.html) to accomplish this function.


ERASE FREE SPACE

Use Disk Utility’s “Erase Free Space”

Overwrites free space on drive and previously “deleted” (that is, non-securely deleted) files.

Does not touch other information on your hard drive volume. (In other words, it doesn’t completely wipe everything!)


1. Launch “Disk Utility” (in Utilities folder within Applications folder), and you should get a window similar to the following:

2. Click on your hard drive’s volume (e.g., Macintosh HD)

3. Click on the Erase tab/button

4. Click on “Erase Free Space” (not Erase!). We recommend that you do the 7-pass Erase of Deleted files

 



Protecting for the Future on All Platforms
go to top

Windows

Use Eraser to Remove Files with Personal Information

Eraser adds an item to the menu you get when you right click on a file in My Computer.  Simply select “Erase”, and then click “Yes” in the confirmation box that pops up.

Securely Clear your Browser Cache

Computer Support has written a tool to securely erase your browser cache.  You will need to have Eraser installed to use this tool.  Check with Computer Support if you need help using it.

Cache Eraser 1.0 (Windows XP/2000)

Encrypt Files that Must Contain Personal Information

Computer Support is still evaluating different means of encrypting files that can’t be removed.  We’ll keep you informed as we determine the best course of action.

MAC

Use Secure Empty Trash function

In the future, use Secure Empty Trash to securely delete file(s)/folder(s) containing sensitive info from your Mac.

 

DELETE WEB BROWSER CACHES

Safari 2.x – Mac

            1. Click on Safari -> Empty Cache.

            2. A window will appear asking if you want to clear cache.  Click on Empty.

Firefox 1.5 – Mac

Click on Firefox -> Preferences.

Click on the Privacy icon.

View the “Cache” tab and click on Clear Cache Now.

Firefox 2.x – Mac

            1. Click on Firefox -> Preferences.

            2. Click on the Privacy icon.

            3. View the “cache” tab and click on Clear Cache Now.

Internet Explorer – Mac

(Ideally, you shouldn’t be using IE for Mac anymore at all; as development for it ceased in June 2003, and support for it ended December 31st, 2005.)

Start Internet Explorer.

Select Explorer -> Preferences from the toolbar.

Select the Web Browser menu.

Select the Advanced menu.

On the right-side of the “Preferences” window in the Cache section, click on Empty Now.

 

Netscape/Mozilla – Macintosh

Select Edit -> Preferences.

Select Advanced.

Select Cache.

On the right-side of the “Preferences” window, click on the Clear Cache button.

 

[If you are using a different browser (e.g., Opera, Camino, SeaMonkey, other), see that browser’s Help, or other documentation for how to delete your cache and/or other private information on that browser.]

ENCYPTING SENSITIVE DATA ON YOUR COMPUTER

OSX’s FileVault (first introduced in Panther) vs. creating individually password-protected, encrypted disk images using Disk Utility.

FileVault lets you encrypt/protect everything in your home directory using 128-bit AES encryption. **Be aware – there are pros and cons to using FileVault!**

Perhaps a better alternative is to choose exactly what you want/need to encrypt and create one or more individual password-protected, encrypted disk images containing those files using disk utility. View “How to create a password-protected (encrypted) disk image” from Apple’s Support pages at http://docs.info.apple.com/article.html?artnum=107333

 

 

Linux/Unix

Use Shred to Remove Files with Personal Information

If GNU shred is available use it to shred files. shred –f –z filename

If GNU shred is not available, please contact computer support to help find solutions.  Currently we are still researching options for our main Unix server.

Securely Clear your Browser Cache

Computer Support will be working on a tool to securely erase your browser cache.  For the moment, you could manually use shred if you know where the cache files are stored.  Check with Computer Support if you need help with this in the interim.

Encrypt Files that Must Contain Personal Information

Computer Support is still evaluating different means of encrypting files that can’t be removed.  We’ll keep you informed as we determine the best course of action.

Last update: Thu Jun 21, 2007
Contact Information:
Department of Chemistry
The Ohio State University
100 W. 18th Avenue
Columbus, Ohio 43210
phone: (614) 292-2251
fax: (614) 292-1685
Contact Us

If you have trouble accessing this page and need to request an alternate format,
please contact Michael Reed at mreed@chemistry.ohio-state.edu

© 2005, All rights reserved, The Ohio State University, Department of Chemistry