The University of Pennsylvania enacted a comprehensive Social Security Number policy in May of 2007. The stated purpose of the policy was to protect social security numbers by eliminating them, converting them to University specific Penn ID number, truncating to the last four digits or enforcing strict controls on the storage of necessary social security numbers (encryption).
The adoption of this policy posed several immediate challenges to the University information security staff. The most prominent of these challenges was locating social security numbers in University data stores in order to remediate them in accordance with the new policy. Without a clear picture of where our personally identifying information (PII) was stored itwould be impossible to embark on any successful policy compliance plan.