Background

Presently, the campus Appropriate Use Policy forbids the examination of the contents of electronic files other than by the owner of those files except in very restricted cases. In general, file contents and network traffic may only be examined as part of an ongoing security investigation and with the express written approval of the campus Chief Information Officer or designee. In the Fall of 2007, under the guidance of the campus Security and Privacy Office within the Office of the Chief Information Officer, the Offices of the Provost and Chancellor initiated a significant program to identify and remove electronic files containing Social Security numbers and credit card numbers.

The program has two parts. First, all faculty and staff at the Urbana-Champaign campus will be required to search for and remediate (i.e., delete, redact, or securely archive) electronic files that contain either of these two data elements. Detailed instructions on how to handle such files will be distributed during the program. Second, IT Professionals working in units will be charged to perform a similar search on large shared data pools such as network-accessible file shares. Strictly speaking, it is a violation of campus policy for IT Professionals to implement such a search in that it will almost certainly involve examining the content of files that they would not normally have reason to examine.

Please note that the process of searching for files containing SSNs or credit card numbers will not, in its first pass, be a manual one. Reasonably effective electronic tools have been created and/or identified that will scan over most drives and provide a 'suspect file' list. However, it is impossible to guarantee that every file identified contains a Social Security number. Many programs store 9 digit numbers that are indistinguishable from SSNs. Consequently, the IT Professional will need to either a) examine the file him or herself or b) bring it to the attention of the file owner for examination. Units are free to encourage whichever option best fits their working environment. This document, which bears the approval of the Chancellor and Provost, provides the necessary policy exemption for the IT Professional staff to both execute the search and the subsequent file examinations.

Policy Exemption Statement

For the limited purpose of remediating electronic files that contain Social Security numbers and/or credit card numbers, full-time professional IT staff that are expressly designated by their department or college head may use automated scanning programs to identify files that may contain said data. If so directed by their unit they may also open and examine files identified by the scanning software to confirm or deny the existence of SSNs or credit card numbers within these files. This exemption has been expressly created to provide authorization that is normally precluded by section 6 of the campus Appropriate Use Policy.

This exemption is strictly limited to the data and populations described and does *not* extend to the general examination of files for other purposes or other classes of sensitive data or security incidents.

Duration of the Exemption

This exemption will remain in effect for the duration of the program which is anticipated to run through April 2008. At the discretion of the unit head (department or college) this exemption may be reactivated for specific individual full-time professional staff members for the purpose of running automated scanning programs that search for SSNs and credit card numbers. The list of authorized programs will be maintained by the campus Security Office. Units are required to document the authorization to execute such searches within their internal records systems.