Vice President for Business Affairs   

Location: Tandy Suite 100 | Phone: (956) 882-8240 | Fax: (956) 882-3868 | E-Mail: bad@utb.edu

BUSINESS AFFAIRS : VPBA : SOCIAL SECURITY NUMBERS : NOTICE ABOUT INFORMATION LAWS AND PRACTICES

The University of Texas at Brownsville
and
Texas Southmost College
 Business Procedures Memorandum 66-01-04
Protecting the Confidentiality of Social Security Numbers

Security Plan

The University of Texas at Brownsville and Texas Southmost College (“UTB/TSC”) is committed to safeguarding its valuable information assets and protecting the privacy of those it serves. To that end, UTB/TSC develops and maintains a successful information security program that includes enforceable policies and procedures to protect privacy and safeguard UTB/TSC’s information assets.

This compilation of procedures governs the security of social security numbers (“SSN’s”). The procedures are intended to comply with BPM-66 Section 3.5.1, which requires each institution to develop and implement a written security plan for records and record systems that contain SSN’s.

BPM-66 governs the confidentiality, integrity and availability of individuals’ SSN’s maintained by U.T. institutions. The BPM-66 Security Plan shall include administrative, physical, and technical safeguards that (i) Ensure the confidentiality, integrity and availability of all SSN’s U.T. institutions maintain; (ii) protect against any reasonably anticipated threats or hazards to the security or integrity of such information; and (iii) protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required by law.

To avoid unnecessary duplication of efforts, the BPM-66 Security Plan is based on the Subpart C of Part 164 of the HIPAA Security Standards and leverages UTB/TSC’s ongoing efforts to consolidate all security risk assessments required to comply with institutional, state, and federal regulations.

By reference, the BPM-66 Security Plan includes procedures in the UTB/TSC Acceptable Use Policy, Information Resources and Security Policy, and Information Resources Security Operations Manual. It assumes that procedures required by these documents are already being implemented.

All implementation specifications in this plan are required.

BPM-66 Security Plan Implementation Specifications

  1. Administrative Safeguards:
    1. Risk Assessment: BPM-66 Section 3.6.3 requires each institution to establish a schedule for risk assessments and audits of systems containing SSN’s.
    2. Workforce Security
      1. Workforce Clearance Procedure: BPM-66b Section 3.4.1 requires institutions to limit access to SSN’s to those employees who need to see the number for the performance of their job responsibilities.
      2. Termination Procedure: Likewise, each institution should terminate access to SSN’s when employment ends or when job responsibilities do not require access to such information.
    3. Security Incident Procedures: Institutions should implement procedures to address security incidents. Identify, report, and respond to suspected or known security incidents that threat the integrity or security of SSN’s.
    4. Contingency Plan: BPM-66 Sections 3.4.2 and 3.5.2 require institutions to protect the security of records containing SSN’s during storage. This procedure ensures that records containing SSN’s are included in the following:
      1. Data Back Up Plan
      2. Disaster Recovery and Emergency Mode Operation Plans
    5. Business Associates Agreements: BPM-66 Section 3.4.6 requires institutions to enter into a written contract with third parties when SSN’s are shared.
  2. Physical Safeguards
    1. Workstation Use Procedures: BPM-66 Section 3.4.4 requires institutions do not store records containing SSN’s on institutional or personal computers or other electronic devices that are not secured against unauthorized access. These procedures should complement those included in the UTB/TSC Acceptable Use Policy, Information Resources and Security Policy, and Information Resources Security Operations Manual.
    2. Device and Media Controls: BPM-66 Section 3.5.3 requires institutions to take security measures when discarding records or media containing SSN’s.
  3. Technical Safeguards
    1. Access Control Procedures: To create, modify and terminate access right, providing temporary access rights, and establishing access rights to new applications or systems.
    2. Audit and Review Procedures: BPM-66 Section 3.4.2 requires institutions to monitor access to records containing SSN’s.
    3. Person or Entity Authentication: Verify that a person or entity seeking access to SSN’s is the one claimed and monitor access attempts.
    4. Transmission Security: Ensure that SSN’s confidentiality and integrity are protected during transmission when SSN’s are shared with other U.T. institutions or third parties acting as agents or contractors for a U.T. institution.

Social Security Number
Business Affairs Home Page
Corporate Compliance Home Page

Open Records | Privacy Statement

The University of Texas at Brownsville and Texas Southmost College
80 Fort Brown | Brownsville, Texas 78520 | (956) 882-8200

 Last Updated May 17, 2004
Copyright © 2004