Theres Safety in Numbers!Barbara DolhanskyAssociate Vice President, Computer & Information Services

Timothy ORourke Vice President, Computer & Information Services

Temple University

The Hard Facts! Identity-Theft is the fastest growing crime in America; 9.9 MILLION victims were reported last year, according to a Federal Trade Commission survey!

4/11/06 Specialty retailer Ross-Simons said a security breach detected earlier this month compromised personal information on 32,000 customers who applied for store credit cards from October 2004, when the cards were first issued, to April 4, when the problem was verified, Ross-Simons spokesman said the data that was accessed was similar to the information on any credit application, including Social Security numbers.. (Associated Press Newswires, April 13, 2006)

4/20/06. Boeing is notifying 3,600 current and former employees that their names, Social Security numbers and in some cases, addresses and phone numbers, may have been compromised after a laptop was stolen several days ago. The laptop was grabbed from a Boeing human-resources employee at an airport, said company spokesman Tim Neale.. (The Seattle Times, April 21,)

The Hard Facts! 4/29/06 A Union Pacific employees personal computer was stolen Saturday, April 29, which contained a report with the names, Social Security numbers and birth dates of 30,000 employees at Union Pacific.. (Union Pacific Statement, May 8, 2006)

5/25/06 VyStar Credit Union announced Thursday that hackers stole VyStar members personal account information. 34,000 customer accounts were affected. The pilfered information includes names, addresses, social security numbers, birth dates, mothers maiden names and e-mail addresses.. (The Florida Times-Union, May 27, 2006)

7/2006 A laptop computer containing personal information of more than 133,000 Floridians was stolen in late July from a government SUV parked in front of a popular Doral cafeteria, the U.S. Department of Transportation announced Wednesday. There is no evidence that the data have been used illegally, DOT officials stressed Wednesday in Washington and Miami.. (The Miami Herald, August 10, 2006)

The Hard Facts! 2006 Disclosures of U.S. Data IncidentsAt least 148 incidents have been disclosed, potentially affecting nearly 9.3 million individuals30% of disclosures involve educational institutions; 30%, governmental or military agencies; 18%, general business; 11%, health care facilities or companies; and 11%, banking, credit or financial services entities.Since January 2006 at least 845,000 people have had sensitive information jeopardized in 29 security failures at colleges We store similar personal information as a bank and were easier prey than a bank!Most states enacting legislation penalizing the failure to adequately protect an individuals privacy!

PA Senate Bill 712 Breach of Personal Information Notification Act Enacted June 20, 2006 by the PA legislature Provide notice (written, telephone or substitute) to individuals in event of security breach of personal information First name & last name linked with:SSNDrivers license number or state id cardFinancial account number, debit or credit card number, in combination with security code to access account information Not just about electronic data! Paper files also included in law.

Who are We?Based in Philadelphia, Temple is one of Pennsylvanias three public research Universities, along with Pitt & Penn State The University has over 35,000 students, 16,000 annual W-2s issued, and over 230,000 alumni 26th largest University in the United States 6th largest provider of professional education in the country17 schools and colleges including schools in Law, Medicine, Pharmacy, Podiatry, & Dentistry and campuses in Tokyo, Japan, & Rome, Italy$90 million Physicians Practice PlanTotal operating budget of $900 million

Temple Health System (a wholly owned subsidiary of the University) is a $1 billion operation made up of 13 separate corporate entities and has over 5,000 employees. The University runs the HR system for the Health System.

Our Goals!Protect the personal data of our students, faculty, administrators, and alumni

Increase our confidence that the personal data is adequately protected

Educate / improve awareness among Temple community as to the importance of confidentiality and the personal protection of their data

Keep us out of the newspapers!

Our Challenges!Many old legacy systems employed SSN as key Student, HR, FinanceSS# key to all of our systemsAlmost 1,000,000 unique SSNs in these systems

Over 25 centrally maintained ancillary systems using SSN as Key

Complex web of shadow systems and an unknown number of Access data bases and spreadsheets throughout departments

Limited resources and many other priority initiatives

Delay of ERP deployment Passed policy in September 2004, with a hard deadline of September 30, 2005

The ProjectBarbara Dolhansky

True Confessions / Things Not to DoDont enlist five computing students to perform code changes

Dont forget your school mascot

Dont expect alumni to donate money to the cause.

Dont forget to have a conversion concierge.

Important>>>>Its a Big Project!>>>> PLAN13,000 HOURS!!!

Summary Task NameEstimated HoursSSN Elimination Project13,000Project Management550Develop Information Website20Develop Search Screen600Develop Potential Matches Screen600Develop Add/Update Logic400ISIS Modifications1,850HRS Modifications820FMS Modifications240Access Card Modifications700Snyder Reporting Modifications420Convert Ancillary Systems840Develop Multiple Records Process350University Forms1,360Conversion2,600User Testing850Training400Establish Data Integrity Office400

Timeline

Milestone Description

NameTitle

NameTitle

NameTitle

NameTitle

Team Title

NameTitle

Company Name

Company NameDepartment Name

NameTitle

NameTitle

Executive Committee Barbara DolhanskyComputer Services

Conversion Team Matt WaldronComputer Services

Major Central Systems

Integrated Student Information System (Records back to 1963)ID Card SystemHuman Resource System (Records back to 1993)LDAP DirectoryFinancial Management System (Records back to 1987)Student Recruitment Information System (SRIS)

Central Ancillary Systems

Kronos Time Reporting SystemUndergraduate Application WebsitePosition Control SystemGraduate Application WebsiteTelephone BillingDocument Imaging SystemRMS Housing SystemMcGann Parking SystemEthernet Access in Residence Halls WebsiteQConnect Appointment SystemLibrary SystemMany InterfacesFirst Year Writing Program SystemJudicial Database SystemHelp Desk SystemDepartmental Shadows SystemsFocus Reporting System

Offices Affected

Academic Computer ServicesSchools/Colleges/CampusesComputer Services Information SecuritySchool of MedicineTelecommunicationsSchool of Podiatric MedicineDocument Imaging OfficeSchool of DentistryOffice of Undergraduate AdmissionsSchool of LawGraduate SchoolSchool of PharmacyDevelopment OfficePlanning and Policy AnalysisOffice of Human ResourcesInternational ProgramsBursarCampus SafetyRecreation ServicesProvost OfficeStudent Financial ServicesLegal CounselAcademic Records OfficePrivacy OfficerGeneral AccountingInternal AuditsID Card OfficeStudent AffairsTUHS and AffiliatesParkingHousingLibrary

Our Clever Nine Digit Unique IdentifierThe TUid

First digit set to 9 and the last digit is check digit.

Sequentially assigned from one database automatically updates two legacy systems .

Purchased NameSearch from IntelligentSearch to assist with record matching. One number assigned to an individual used across the entire institution. Stored in systems that may have separate ID.

PolicyThe use of the Social Security number as a primary identifier for Temple-Related Individuals shall be avoided, except as required by law or as required by practical necessity as approved by the President or other designated University officers. The Vice President for Computer and Information Services shall develop and implement procedures for ensuring compliance. Compliance Date September 30, 2005

** Separate SSN procedures define guidelines for SSN handling

Components of SSN ProceduresPrimary Identifier Guidelines for collecting and storing List of Approved Uses of Social Security Numbers

University Forms Guidelines

Guidelines for Computer and Information SystemsEncryptionDisplay of SSN

List of Social Security Number Safeguards

User Approvals RequiredSocial Security Number Usage Request FormSystem requires storage of SSNMust be encrypted

Access to Social Security Number Approval FormIndividuals viewing / updating SSN

Required, promotes compliance and is audited by Internal Audits.

Extensive TrainingNew Data Entry and Search ScreensHuman Resource SystemStudent SystemMandatoryConducted 6 weeks prior to conversion Adding and Searching for IndividualsName, TUid or SSN, Birth Date, Address

Authentication Procedures Whats your SSN.

Conversion

Milestone Description

Re-carding

Milestone Description

Temple ID Card Diamond Dollars Building access Parking privileges Library privileges Printing privileges Display TUid on Front HologramOWLcard

Card DesignPublications / Office of University Communications

Presented Executive Committee 2 Choices

What is printed? Display TUid? President Final Choice

Verbiage on Reverse University Counsel

Health System Designs (JACHO standards)

Card Distribution24,000 Returning Student IDs produced10,000 New Students 7,400 University Employee IDs 7,500 Health System Employee IDs

Card Distribution - EmployeesCards Distributed to Dean & Vice Presidential Offices Employees must sign for receipt of card Signed receipt forms & unclaimed cards returned to Human Resources OWLcards cannot be mailed Returned OWLcards shredded

Card Distribution - StudentsMultiple distribution points card office, large hall, campuses Students must swipe cards after pickup OWLcards cannot be mailed Professional Schools & Ancillary Campuses return unclaimed cards to Central Office Unclaimed cards shredded

Engage support of Senior Management / an essential ingredient

Tell everyone what youre doing / communicate and publicize

Seek input from those affected / involve the community Learn from others mistakes / talk to other Universities/Colleges

Create detailed conversion test plan / down to the hour! Develop a roll back plan / mistakes do occur

Change project teams members if necessary

Why I Still Have My Job / Lessons Learned!

More Lessons LearnedLook for the hidden systems / spreadsheets and files are systems

Include programmers on Shadow System Team

Allow plenty of lead time for ID card vendor selection & processing

Help departments with their conversion process

Maintain on demand support during implementation Send friendly reminder e-mails to the entire community

Lingering PainsIssuing multiple TUids to one person Dealing with alumni who do not know TUid

Cleaning historic data SSN and personal info remaining on laptops and workstations Non-supported vendor-provided systems that could not be converted Shadow systems and non-central servers

Questions?

Theres Safety in NumbersTheres Safety in Numbershttp://ssn2tuid.temple.edu