Social Security Numbers
The University of Texas at Brownsville and Texas Southmost College (UTB/TSC) is committed to safeguarding its valuable information assets and protecting the privacy of those it serves. To that end, UTB/TSC develops and maintains a successful information security program that includes enforceable policies and procedures to protect privacy and safeguard UTB/TSC’s information assets.
This compilation of procedures governs the security of social security numbers (SSNs). The procedures are intended to comply with UTS165, which requires each institution to develop and implement a written security plan for records and record systems that contain SSNs.
UTS165 governs the confidentiality, integrity and availability of individuals’ SSN’s maintained by U.T. institutions. The UTS165 Security Plan shall include administrative, physical, and technical safeguards that (i) Ensure the confidentiality, integrity and availability of all SSNs U.T. institutions maintain; (ii) protect against any reasonably anticipated threats or hazards to the security or integrity of such information; and (iii) protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required by law.
To avoid unnecessary duplication of efforts, the UTS165 Security Plan is based on the Subpart C of Part 164 of the HIPAA Security Standards and leverages UTB/TSC’s ongoing efforts to consolidate all security risk assessments required to comply with institutional, state, and federal regulations.
By reference, the UTS165 Security Plan includes procedures in the UTB/TSC Acceptable Use Policy, Information Resources and Security Policy, and Information Resources Security Operations Manual. It assumes that procedures required by these documents are already being implemented.
All implementation specifications in this plan are required.
UTS165 Security Plan Implementation Specifications
I. Administrative Safeguards:
- Risk Assessment: UTS165 requires each institution to establish a schedule for risk assessments and audits of systems containing SSNs.
- Workforce Security
- Workforce Clearance Procedure: UTS165 requires institutions to limit access to SSNs to those employees who need to see the number for the performance of their job responsibilities.
- Termination Procedure: Likewise, each institution should terminate access to SSNs when employment ends or when job responsibilities do not require access to such information.
- Security Incident Procedures: Institutions should implement procedures to address security incidents. Identify, report, and respond to suspected or known security incidents that threat the integrity or security of SSNs.
- Contingency Plan: UTS165 require institutions to protect the security of records containing SSNs during storage. This procedure ensures that records containing SSNs are included in the following:
- Data Back Up Plan
- Disaster Recovery and Emergency Mode Operation Plans
- Business Associates Agreements: UTS165 requires institutions to enter into a written contract with third parties when SSNs are shared.
II. Physical Safeguards
- Workstation Use Procedures: UTS165 requires institutions do not store records containing SSNs on institutional or personal computers or other electronic devices that are not secured against unauthorized access. These procedures should complement those included in the UTB/TSC Acceptable Use Policy, Information Resources and Security Policy, and Information Resources Security Operations Manual.
- Device and Media Controls: UTS165 requires institutions to take security measures when discarding records or media containing SSNs.
III. Technical Safeguards
- Access Control Procedures: To create, modify and terminate access right, providing temporary access rights, and establishing access rights to new applications or systems.
- Audit and Review Procedures: UTS165 requires institutions to monitor access to records containing SSNs.
- Person or Entity Authentication: Verify that a person or entity seeking access to SSNs is the one claimed and monitor access attempts.
- Transmission Security: Ensure that SSNs confidentiality and integrity are protected during transmission when SSNs are shared with other U.T. institutions or third parties acting as agents or contractors for a U.T. institution.