Computer Security: PII and the Importance of Permissions

You have heard the security buzz about managing personally identifiable information (PII) and how to prevent identity theft. (A list of information that constitutes PII can be found here.) Previously, we addressed the definition of PII and the need to keep it off portable devices. Removing the PII from one's possession by transferring it to centrally managed file servers, such as the Z drive or Andrews Files System (AFS) home directories, is a crucial first step. But once PII is moved to central file systems, you still need to set the appropriate file system permissions to ensure the information within your control is not publicly accessible.

"This is an evolving issue, and recommendations most likely will change over the next few months as we learn more, and develop new guidance," says SLAC computer security team member Heather Larrieu. "In the meantime, it's important to minimize the gathering of PII in our processes and procedures and to set the appropriate permissions for files stored on the network drives."

The central Z drive is accessible to all Windows users working at SLAC. By default, the security settings for these files are set so that only the owner and administrators have access unless permissions are manually changed. If you are a Windows user and have not changed the default security settings on your Z drive, then you do not need to take any action. Those settings can be reviewed and changed by right clicking on your personal folder on the Z drive and selecting "Properties" and the "Security" tab.

The Unix operating system uses AFS to access central network drives, and by default security settings on AFS home directories are left open to anyone. Therefore it is imperative for all Unix users to manually specify who can access the files they place in the AFS.

Alternatively, users should store files in a private subdirectory.

This applies to anyone using an AFS client to access central network drives. By default, a directory named "private" exists in everyone's AFS home directory that can be accessed only by the owner and system administrators. Contact the Help Desk for assistance in configuring your file security settings or if you are unsure which system you are using.

—Brad Plummer
SLAC Today, October 26, 2006

Handy Links

SLAC News Center

SLAC Today

SLAC News

Lab News

SLAC Links

Stanford

Around the Bay

Computer Security: PII and the Importance of Permissions



Handy Links SLAC News Center News Center home page SLAC Today SLAC Today Subscribe Archives: Feb 2006-May 20, 2011 Archives: May 23, 2011 and later Submit Feedback or Story Ideas About SLAC Today SLAC News SSRL Headlines symmetry magazine TIP Archives Lab News Interactions Lightsources.org ILC NewsLine Int'l Science Grid This Week Fermilab Today Berkeley Lab News @brookhaven TODAY DOE Pulse CERN Courier DESY inForm US / LHC SLAC Links Emergency Safety Policy Repository Site Entry Form Site Maps M & O Review Computing Status & Calendar SLAC Colloquium SLACspeak SLACspace SLAC Logo Café Menu Flea Market Web E-mail Marguerite Shuttle Discount Commuter Passes Award Reporting Form SPIRES SciDoc Activity Groups Library Stanford Stanford University Stanford Report Stanford Events Life on Campus Around the Bay Bay Area Traffic Bay Area Weather Caltrain BART	Computer Security: PII and the Importance of Permissions You have heard the security buzz about managing personally identifiable information (PII) and how to prevent identity theft. (A list of information that constitutes PII can be found here.) Previously, we addressed the definition of PII and the need to keep it off portable devices. Removing the PII from one's possession by transferring it to centrally managed file servers, such as the Z drive or Andrews Files System (AFS) home directories, is a crucial first step. But once PII is moved to central file systems, you still need to set the appropriate file system permissions to ensure the information within your control is not publicly accessible. "This is an evolving issue, and recommendations most likely will change over the next few months as we learn more, and develop new guidance," says SLAC computer security team member Heather Larrieu. "In the meantime, it's important to minimize the gathering of PII in our processes and procedures and to set the appropriate permissions for files stored on the network drives." The central Z drive is accessible to all Windows users working at SLAC. By default, the security settings for these files are set so that only the owner and administrators have access unless permissions are manually changed. If you are a Windows user and have not changed the default security settings on your Z drive, then you do not need to take any action. Those settings can be reviewed and changed by right clicking on your personal folder on the Z drive and selecting "Properties" and the "Security" tab. The Unix operating system uses AFS to access central network drives, and by default security settings on AFS home directories are left open to anyone. Therefore it is imperative for all Unix users to manually specify who can access the files they place in the AFS. Alternatively, users should store files in a private subdirectory. This applies to anyone using an AFS client to access central network drives. By default, a directory named "private" exists in everyone's AFS home directory that can be accessed only by the owner and system administrators. Contact the Help Desk for assistance in configuring your file security settings or if you are unsure which system you are using. —Brad Plummer SLAC Today, October 26, 2006