University of Missouri Social Security Number Program Element

Summary

The University of Missouri is committed to protecting the privacy and confidentiality of Social Security Numbers (SSNs). As a university we must assure that collection, management and display of SSN’s be controlled and that the use of the SSN as an identification number be limited. Databases and applications that contain SSN’s must have requisite security controls implemented to protect the confidentiality of the data.

SSNs will only be collected, stored, displayed, transmitted or used when their use has been properly requested and approved. The requestor along with the dean, director or department chair, have responsibility for ensuring SSNs are managed in a secure manner.

Access to Social Security Numbers

Access to all databases, applications and documents containing SSN’s is restricted to employees who have a legitimate University business need to access the information. Employees and volunteers who will have access to SSNs must sign a confidentiality agreement and shall not use or disclose SSNs other than as required to perform their legitimate duties.  Any unauthorized disclosure of SSNs must be reported to the employees immediate supervisor and ultimately to the appropriate ISO.

Requests to use SSNs must be documented utilizing the Social Security Number (SSN) Authorization Request Form. This applies to existing and new uses of SSN. The completed form must be reviewed and approved by all of the following:

1. the appropriate Dean, Director or Department Chair;
2. the business unit ISO;
3. the business unit Chief Information Officer (CIO);
4. with final approval by the VP for Information Technology (VP IT) or UM Chief Information Security Officer (CISO).

An employee, student, or any associate of the University who disregards policies and/or standard security practices or who knowingly breaches the confidentiality of another's SSN is subject to disciplinary and/or legal action.

Authorized uses

1. SSNs will only be collected, stored, displayed, transmitted or used when their use has been properly requested and approved. The requestor along with the dean, director or department chair, have responsibility for ensuring SSNs are managed in a secure manner.
2. SSNs will be released by the University to external entities only:
   
   1. as required for educational certifications by state or recognized boards; or
   2. when permission is granted by the individual; or
   3. when the external entity is acting as the University's contractor and adequate security measures and agreements are in place to prohibit unauthorized dissemination; or
   4. when the General Counsel's Office has approved the release; or
   5. As otherwise allowed or required by law.

If any exception to these requirements is deemed necessary, it will be identified at the time that a request is submitted and reviewed. The exception will be fully documented as part of that process and will include specific information security requirements that will be imposed. Completed forms and exception documentation will be kept on file by the appropriate business unit ISO.

Security Controls

Systems storing SSN’s must contain security controls that protect the integrity and confidentiality of the data.

Physical security controls that restrict access to servers and workstations that contain SSN’s including storage media such as disks, backup tapes and external storage drives.

SSN’s within historical records

1. Systems containing SSN’s must be protected by a Network firewall.
2. Systems containing SSN’s must include authorization and authentication controls to limit access to users who have an authorized business need.
3. Databases that contain SSN’s must be encrypted.
4. Transmission and transport of documents and files (electronic or in paper form) containing SSN must follow the requirements outlined in the Standard for Transmission/Transfer of DCL3/DCL4 Data.
5. Forms (paper, electronic, etc.) that collect SSNs must include disclosure statements regarding the reason for which the SSN is being collected and how it will be used.

SSN’s may be part of a historical record given its past use as the primary identifier for the University.  SSN’s may no longer be used as a primary identifier unless the appropriate ISO has granted an exception for that use.

Access to imaged or other online documents containing SSN’s must be limited to authorized persons only, and must be secured via approved access policies.

Disposal of records

1. Records that are no longer needed must be purged.  The disposal of records must follow University Records Management policies and procedures.
2. Computers shall be disposed of in compliance with the university computer disposal policy.
3. Documents, hard drives and other media that contain SSN’s must be disposed of properly.