Recent events concerning the distribution and control of sensitive information located on university and personally owned
information resources have forced all of us to analyze how we are collecting, receiving, accessing, storing, sending, and
destroying sensitive information related to our student, faculty, staff, and business partners. Although the university
as a whole can provide guidance to individuals on how to properly interact with sensitive information, it is ultimately up
to each university employee to proactively protect the information people have entrusted into our care. Recently the
President’s Cabinet has approved twenty-three University Procedures developed by the University Technology Council to help
provide guidance related to individual and department responsibilities related to the university information resources
including sensitive information. These University Procedures supplement the
University Rule 21.01.06.C2 Security of Electronic Information Resources
and are published to the University Rules web page. You can also find a consolidated version of these procedures on the
TAMUCC Security web site in the Guides section.
One of the major issues facing this university is identifying information resources that contain sensitive information.
Although the user of an information resource may not deal with sensitive information on a daily basis there is always the
possibility of residual data that the user is not aware exists. To help locate and identify sensitive information all
university employees should review all university computers, mobile devices, and removable storage devices and media that
they have been assigned responsibility to maintain for any file that contains sensitive personal information. Individuals
who have been permitted to utilize personal resources to conduct university business should also check these resources as
well. Sensitive personal information includes a person's full or partial name in conjunction with other information such
as complete or partial Social Security Numbers, date of birth, driver's license or government-issued identification number,
or any financial information such as credit card or bank account numbers.
Locating Sensitive Information
One method for locating sensitive information on systems running Windows, Linux, Unix, or OS X operating systems is to
utilize the “Spider” tool developed by
security administrators at Cornell University.
Detailed instructions
for using the “Spider”
tool have been included by the Cornell administrators. Using this tool will generate a list of files that may or may not
contain sensitive information related to Social Security and credit card numbers. Special attention should be paid to the
fact that this tool may misidentify certain files as containing sensitive information. These are generally limited to image
files such as JPG and TIFF but may include text documents. Each text file identified should be reviewed individually to
determine whether or not it contains sensitive information. Watch the
Resources section of the
TAMUCC Security web site for more information regarding the use of this tool.
Handling Sensitive Information
Although it is necessary to closely control sensitive information it does NOT mean that the information needs to be removed
from an information resource. Individuals who locate sensitive information need to identify whether there is a specific
business need to maintain the information on that resource. Any information that has been determined to be unnecessary
should be immediately deleted. Individuals who identify files that contain sensitive information that is necessary to
complete a specific business function will immediately notify their immediate supervisor for review, clarification, and
instructions on how that to protect the information.
There are other areas involving sensitive information that should be taken into consideration. Departments and divisions
are required to review how they collect and store sensitive information via paper forms. During the review of paper
forms, methods and techniques for removing fields associated with an individual's Social Security number from these
forms will be considered so as to comply with up coming
state legislation.
Departments and divisions are also responsible for ensuring that each one of their employees completes a appropriate
FERPA training course that will be provided by the university. This training is will be utilized to augment the university's
Information Security Awareness training.
Positive Direction
Although these actions may seem a bit confusing and may prove to be initially time consuming the end result of providing
proper protection for an individual’s sensitive information will ensure that this university can focus future activities
to the normal services we provide to our students, faculty, and staff. Providing a safe and protective working environment
for our students and employees has always been a top priority of this university. I assure you that these actions will
ensure we are successfully moving down this path. Please contact me directly if you have any questions.
--------------------------
Take Care,
Don C. Weber
IT Security Manager - Texas A&M-Corpus Christi
CISSP, GIAC