UC Santa CruzInformation Technology Services
Home About ITS Service Catalog News and Events Policies and Guidelines IT Governance ITS Staff Site ITS Job Opportunities ITS Frequently Asked Questions ITS Feedback Form
A-Z Index | Find People

Information Security Team
Communications Building
1156 High Street
Santa Cruz, CA 95064
Phone: (831) 459-HELP

SECURITY Home
Technical Alerts
Tips, Tricks and Tools
Detecting a Breach
Reporting an Incident
Prevention
Anti Virus
Policies
Security Services
Additional Resources
Security Training
Best Practices
Restricted Data Resources
About Our Team

Other UCSC Links:
UCSC Home
MyUCSC
ResNet
UCSC Library
AIS Home

Maintained by secweb@ucsc.edu
Last Reviewed on Oct 26, 2004

© 2008 The Regents of the University of California

 

MODEL FOR SOCIAL SECURITY NUMBER (SSN) SCANNING ON UCSC CAMPUS SYSTEMS

Printer-friendly version (PDF, 20K)


General Methodology for Performing Scans for Personal Identity Information (PII) Data, e.g. SSN

Users:

Users may scan their own systems for PII data.

Scan results may contain PII and must be protected and disposed of accordingly.

Service Providers and Unit/Departmental Managers:

Prior to performing a scan for PII data on any system, Service Providers or Unit/Departmental Managers must

  • Provide advance notification of the scan to all individuals, managers and system stewards whose data will be scanned
  • Provide an option for individuals to request an exemption from the scan, to remove or exclude personal or electronic communications files from the scan, and/or to choose to scan their own systems themselves
    • Advance notification must be sufficient to realistically allow individuals to exercise these options.

Service Providers and Unit/Departmental Managers must adhere to the following agreements with respect to scan results:

  • Assure a practice of least perusal and retention of scan results
  • Consult with user/data owner (if known) on scan results indicating potential PII
  • Proper protection and disposal of scan results

UCSC IT Security:

As part of UCSC’s standard IT incident response procedure, the UCSC IT Security Team is authorized to scan for PII data on any system in response to a security breach or compromise. The system steward (or the data owner in the case of a non-shared system) shall be notified prior to performing the scan. IT Security must adhere to the above agreements with respect to scan results as applicable to a given security investigation.


Authorization for Performing Scans for PII Data

Individuals:

Individuals are authorized to scan their own systems for PII data.

Service Providers:

Service Providers are authorized to scan for and access PII data on systems for which they have administrator privileges, with the permission of the system steward or data owner.

  • Note: for departmental systems or servers with shared data, the system steward is the departmental manager.

Unit/Departmental Managers:

Unit/Departmental Managers are only authorized to scan departmental systems for which they are the system steward, and must comply with the terms outlined above for these scans. Unit/Departmental Managers are not authorized to scan other systems, including individual users’ systems, without the explicit consent of all parties whose data will be scanned.

UCSC IT Security:

The UCSC IT Security Team is authorized to scan for PII data on any system in response to a security breach or compromise as part of UCSC’s standard IT incident response procedure.


Related UC Policy

University of California Electronic Communications Policy (ECP):

 

Rev. 4/13/06