SLAC Today logo

Computer Security: PII and the Importance of Permissions

You have heard the security buzz about managing personally identifiable information (PII) and how to prevent identity theft. (A list of information that constitutes PII can be found here.) Previously, we addressed the definition of PII and the need to keep it off portable devices. Removing the PII from one's possession by transferring it to centrally managed file servers, such as the Z drive or Andrews Files System (AFS) home directories, is a crucial first step. But once PII is moved to central file systems, you still need to set the appropriate file system permissions to ensure the information within your control is not publicly accessible.

"This is an evolving issue, and recommendations most likely will change over the next few months as we learn more, and develop new guidance," says SLAC computer security team member Heather Larrieu. "In the meantime, it's important to minimize the gathering of PII in our processes and procedures and to set the appropriate permissions for files stored on the network drives."

The central Z drive is accessible to all Windows users working at SLAC. By default, the security settings for these files are set so that only the owner and administrators have access unless permissions are manually changed. If you are a Windows user and have not changed the default security settings on your Z drive, then you do not need to take any action. Those settings can be reviewed and changed by right clicking on your personal folder on the Z drive and selecting "Properties" and the "Security" tab.

The Unix operating system uses AFS to access central network drives, and by default security settings on AFS home directories are left open to anyone. Therefore it is imperative for all Unix users to manually specify who can access the files they place in the AFS.

Alternatively, users should store files in a private subdirectory.

This applies to anyone using an AFS client to access central network drives. By default, a directory named "private" exists in everyone's AFS home directory that can be accessed only by the owner and system administrators. Contact the Help Desk for assistance in configuring your file security settings or if you are unsure which system you are using.

óBrad Plummer
    SLAC Today, October 26, 2006