Maybe he didn't really think this through.

A friend pointed me to this article about a student list at Texas A&M Corpus Christi that was "misplaced" for a few hours. The list contained the personally identifiable information of 49 students. The list contained names and social security numbers of the students. This is the second incident in less than 2 months for TAMCC.

This post isn't about the incident or how it was handled by the college. It's about a comment that was left. Here is the comment:

Posted by josegutz on July 12, 2007 at 1:24 p.m.

It seems like it is an issue with the IT department at TAMUCC.
They need to ban all key or flash drives from being used if they cannot get that security measure together about using SSN's for identity purposes. They should do a PKI access after all they use access cards for Identity when enrolling at the University. Banning these thumb drives would minimize the security risk of someone walking off with all of this information. I don't want to get in too deep about all this technical garb since it seems that one would have a hard time to comprehend such a concept.

Here is my issue with the comment:

1. This has absolutely NOTHING to do with the IT department.
2. This has absolutely NOTHING to do with flash drives.
3. IT does not dictate whether or not the university uses student SSN's as identifiers.
4. PKI would not have prevented a student from walking off with a SHEET OF PAPER.
5. PKI is not an easy technology to implement or manage especially is a university environment where my nature of what they do the network needs to be open.
6. Banning thumb drives would not have prevented anyone from walking off with a SHEET OF PAPER!

This comment just set me off for some reason. Maybe it's because I have friends who work in IT and security for several universities. Maybe it's because the person tried to blame the IT staff for this and IT gets enough of a bad rap as it is. Maybe it's because the comment really didn't serve any constructive purpose except to put blame on someone without having all, no wait, ANY of the facts. Maybe it's because this person probably works in IT. I say that because the average person does not know what PKI is or how it works. Apparently this person doesn't really have much of an understanding of PKI either. If he did he would have realized point 5 above.

Now that I have ranted let me try to add value to this.

1. Yes, it is a bad idea to use students SSN's as identifiers. I have it on pretty good authority that this is going to change in the very near future.
2. Yes, PKI can help mitigate the risk associated with storing PII. It can be used to prevent it from being accessed by unauthorized users. It can be used to enforce security policies that could prevent copying data to removable media or prevent documents from being printed. But it has to be used in conjunction with other technologies to be effective.
3. There is no reason for the SSN's to be on the class roster that is given to the professor. But it is not the fault of IT or Security that this happens. Even if there are policies in place they have to have the support from Management in order to be enforced and true enforcement would require other technology to be implemented.
4. Security is not just the responsibility of the IT or Security. It is something that has to be embraced by everyone (or most everyone) in the environment. The professors have a share of the responsibility even more so than the IT department does.
   

Then my final point. If you really want to blame someone for all the problems that SSN has caused us, blame President F.D. Roosevelt and the U.S. Congress of 1935. They are the ones who gave us Social Security Numbers. :)