[nycphp-talk] Encrypt and decrypt to store in DB - careful!
inforequest
1j0lkq002 at sneakemail.com
Fri Aug 4 22:43:42 EDT 2006
Aaron Fischer agfische-at-email.smith.edu |nyphp dev/internal group use|
wrote:
>I'm not sure if my description of shared hosting environment is accurate.
>
>I am with one department at a college. There are a number of
>departments who use the same web server. The IT department maintains
>the server and assigns permissions and directory access to the various
>departments. It is in that sense that I am in a shared environment.
>
>The SS# is not being used as a unique identifier. It is part of the
>information that a student can choose to fill in when they are applying
>for admission to the college. (It is not a required field.)
>
>Not sure what the sring is or how to keep the key offline, but those are
>the types of issues I want to be researching. The encryption part of
>the application development won't start until at least next week.
>
>-Aaron
>
>
>
Well, that could be even worse if you don't control the server and those
who do have no accountability for what you do on that server.
From the sound of things, you don't need to collect SSN so why take
that risk? As soon as it is entered, it becomes a liability (depends on
what state you're in what the liability actually is).
It seems your college is actually rather porgressive in trying to
protect student data and privacy: see
http://64.233.161.104/search?q=cache:KoF0heipsy8J:searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1171482,00.html%3Fbucket%3DNEWS+%22smith+college%22+policies+on+social+security+numbers&hl=en&gl=us&ct=clnk&cd=3
"Added to the mix are.....<redacted>.... both small liberal arts womens'
schools. According to Schneider, these two schools are interesting to
the alliance because they have young, predominantly female student
populations to lend diversity to the more technical campuses."
there is also a privacy policy online that seems to suggest info is to
be safeguarded, although by a very quick read it was not a very
pro-student policy IMHO.
http://www.*******.edu/sao/handbook/policies/privacyofrecords.php
It may be that someone added that field as optional and
just-in-case-it-might-be-useful so if you can find any policy at all
that questions it, it might disappear from the specifications. Is the
university involved in research grants from the government? If yes, it
may be a covered entity under HIPAA, which regulates the use and storage
of ss#. Maybe check your university IT policies on SS# just enough to
find a need for clarification, to make the issue go away for a while?
Best of luck passing the buck.
--
-------------------------------------------------------------
"If you think this stuff is confusing, you should try optimizing websites for search engine exposure." john andrews SEO http://www.johnon.com
More information about the talk
mailing list