Guidelines come as response to state law

The UA is establishing more stringent guidelines for protecting students' personal information and social security numbers from outside entities that might want to access them.

A recently passed state law requires that all new students receive ID numbers that are different from their social security numbers by the end of the year. Students whose ID numbers were assigned prior to the law's enactment will have the option to change them.

But the new law is not the only reason for the tighter protection on personal information.

Peter Perona, chairman of the University of Arizona Information Security Advisory Board, said UA President Peter Likins established the guidelines in response to a 1998 incident in which students' social security numbers were released to private vendors.

"The university has better security over personal information than most other schools," he said. "Sometimes bad news leads to good news."

The UA's Security Incident Response Team monitors computer network traffic for possible hackers outside the university.

"They watch the network all the time for possible hackers," Perona said.

Although the new guidelines were established in response to the incident with private vendors, Perona said officials are still wary that history could repeat itself.

When the university issues new contracts to vendors, especially those that will need access to the university's network, they must be careful not to allow vendors access to students' personal information.

"It is important to have the proper language in contracts to prevent vendors from access of private information," Perona said.

ISAB has created a Web site to help students and staff better understand the privacy issue. The site can be accessed at http://w3.arizona.edu/~security/guidelines.htm.

"We provide a Web page with info on what people can do to protect themselves," Perona said. "It is a multi-faceted effort to protect privacy and security."

Perona said ISAB also wrote and distributed guidelines for faculty and staff to follow when handling personal information.

Robert Lancaster, coordinator of information security for the Center of Computing and Information Technology, said the board sent a reminder to department heads to be careful with personal information and who may gain access to it.

"The board felt it was appropriate to document the best practices of protecting anything that can be personal," he said.

The board will continue to distribute more information as it becomes official.

"This is the first wave of information distributed and the board will continue to update the university with more information," Perona said.

The distribution of the guideline to each department has been planned for several months and was not a result of the Sept. 11 attacks.

The board is currently putting together a "question and answer" Web site for faculty to use when in situations regarding the release of personal information.