Introduction: University departments must act
Importance of protecting SSNs and other PNPI
Guidelines for protecting PNPI
PNPI software tools
For more information
Questions or comments
Copyright © 2005, University of Delaware
Last updated: 11/22/05
The two greatest threats to the security of Personal Non-Public Information
To be sure that information for which you are responsible is secure,
follow the University's guidelines for protecting
PNPI. These guidelines are available in a brochure mailed to all employees in September
2005 (Adobe PDF format). In addition, this web page presents
frequently answered questions about the guidelines.
- an unsecured, non-password-protected or compromised computer
- and paper documents containing PNPI.
Ensure the Privacy of PNPI
- What is considered PNPI?
Examples include, but are not limited to:
- Credit card or bank account numbers
- Medical or educational records
- Other sensitive, confidential or protected data (e.g., grades
used in context with personally identifiable information such
as name, address, or other easily traceable identifiers).
- How often should departments review their use of PNPI?
Departments should conduct an annual review all business processes
that require the use of PNPI. During that review, a department's
employees should ask themselves questions like the following
- Do we really need to collect this information?
- How are we safeguarding any electronic records that contain
- How are we safeguarding any paper records that contain
- When we are done using the information, do we store it
securely or discard it safely?
Encrypt Electronic Transmissions
- I have a web site on my departmental server that is not secure. How can
I secure it?
Use the University's
Central Authentication Service (CAS) for authentication.
- I want to restrict a web site on my departmental server to select individuals.
Can I request their name and SSN for access?
No, use CAS to authenticate.
- Can I telnet into University servers to work with PNPI?
No, telnet does not encrypt traffic. Use SSH which
encrypts all traffic. If working off campus, use UD's VPN service.
- Is accessing my e-mail secure?
No. You should turn on SSL/TLS for the incoming and outgoing mail
server in your mail client. This process does not encrypt the transmission
of e-mail. Therefore, you should not send PNPI through e-mail.
- How can I tell if a web site I am using is encrypted?
The site's URL should begin with https. Many browsers,
for example, Mozilla, have an icon representing a lock at the lower
right of the browser window. If you are unsure about the authenticity
of the site, you can double-click the lock icon and review the certificate
Do Not Store PNPI Locally
It is a University goal that PNPI not be stored locally. If, for some
reason, you feel you have to do this, recognize that your department
is responsible for the information. The Personal
Non-Public Information (PNPI) policy states that if
PNPI must be stored locally in the unit, it must be encrypted. Contact
Technologies for options for protecting it.
- Is it safe for me to store PNPI locally on my computer or on removable
devices (e.g. floppy disks, iPods, PDAs, cell phones, flash/jump drives)?
No. You should not store PNPI locally. "Locally" is defined
as storing information directly on your computer or removable media.
- How should I secure my computer when I am away from the office?
You should set a password
that cannot be easily guessed and lock the computer when you are
- How should I dispose of PNPI data?
Shred paper copies and delete any e-mail. If you need to store data
on your computer electronically, remove SSNs and any other PNPI from
the electronic file. For more information, see Responsible
Computing: A Manual for Staff.
- What should I do if I have a class roster with SSNs?
As of August 2005, class rosters no longer have student SSNs. If
you are required to retain copies of old grade rosters, make
certain that they are stored in a locked location. When you
dispose of the old rosters, shred the paper copies and delete
any e-mail containing the students' SSNs. If you need to retain
grade information from past semesters on your computer, remove the SSNs
from the data file(s). In addition, because grade
information is also PNPI protected by FERPA, you should encrypt any files you retain or move them to a
- I use computerized test scoring. Do students have to write their
SSNs in the "Student ID Number" section?
No. On the brown student response form used with the Test Scoring
program, the "Student ID Number" section should not be used
for SSNs. You can post or track grades by assigning students a substitute
number known only to you and the student. Students can use that number
in the "Student ID Number" section.
If you are looking for a unique identifier to track students in your
class, we suggest having the students enter their UDelNet ID in the
Last Name space and the first 7 characters of their last name in the
First Name space.
If students mistakenly fill in their SSNs in the "Student ID
Number" section, you will need to shred the brown response sheets.
Also, if you do generate a grade file and plan to download it to your
PC, remember to delete the SSN column.
For updated information on using the "Student ID Number"
field in a Test Scoring job, please see the Test Scoring
Ensure PNPI Security When Working from Home or Outside the University
- How can I encrypt traffic from my e-mail or other electronic transmissions
from home or while traveling?
You should use the University's Virtual Private Network (VPN)
service. Doing so will encrypt all traffic between the University's VPN
appliance and your computer. If you use an outside ISP or a wireless
connection at home, using the VPN system will prevent others on
the network from seeing your traffic. Caution: Once your traffic goes beyond
the VPN appliance (i.e., to another server on the network), it will
no longer be encrypted.
- Can I use MVS to access PNPI at home or while traveling?
If you need to use MVS, you should use the new VPN system provided
by the University.
- Is it safe or all right to allow other individuals in my home or while
I am traveling to use my University-owned computer?
You should not allow non-UD individuals to use your University equipment.
Have Computer Equipment Audited
Can someone come to our department and review our computers for security?
Yes, you can contact the Help Center at 831-6000 to request that someone visit
your office. They will review your computer and talk with you about additional
measures that will help you protect your systems.
What can I do to ensure the protection of my computer?
- You have the University's antivirus software (McAfee) installed.
- You are up-to-date on the latest patches for your operating system.
- You are up-to-date on patches for software on your computer.
- You have protected the account with which you log into your computer
with a password that cannot easily be guessed.
Visit the Help Center's security
pages for more information.