Re: Early release - free commercial grade PII/NPI discovery software

[Gary Golomb <gary () PROVENTSURE COM>]

Hi there all-



Two quick notes.



One - An update has been posted. If you've already grabbed the software, you
can click on the "Check for Updates" button and it will self-update. As time
goes on and updates are made, you can either re-download the installer, or
just use the "Check for Updates" button.



The second thing - A few different people wrote about it not detecting test
files. I looked at the data within those files from a few different people
and thought I should make a note about how the application works...



The Proventsure Personal Assessor uses multiple layers of validation for
most types of "sensitive" information. Just because a CC or SSN passes
simple checks like Luhn or SSN formats, does not mean the Self Assessor will
generate alerts for them. Potential hits are also checked for structural
validity, which means a number of different things depending on the actual
hit. After that, the context of the potential hit is examined. The search
algorithms within the application are based on the same Computational
Biology algorithms used in the Human Genome Project to find genes that were
previously undiscovered in human DNA, which makes them sensitive to the type
of data surrounding the potential hit - not just the potential hit itself.
After all those checks, the results are finally checked for statistical
significance. In other words, it has to look statistically like a valid
number. It is possible for a CC or SSN to pass checks like Luhn, etc, but
not look anything like a real number. The following is a Visa CC example of
this: 4111111111111111. Something like that would not trigger an alert, nor
will SSN's that are not valid or look made-up (like 123-45-6789, and things
like that).



Anyways, I hope the tool is useful for everyone here. Again, since I left
Higher Ed last year, I haven't spent too much time monitoring the list, so
if you have questions, please make sure to email me directly.



Thanks!



-Gary







Proventsure's Governance, Risk, and Compliance Platform nominated for the

Most Innovative Technology of the Year Award

By Information Security magazine and the Burton Group

http://infosecurityconference.techtarget.com/conference/



proventsure-c

Gary Golomb

Founder, President

Phone: (800) 916-9211

Cell: (443) 536-5757

Web: http://www.proventsure.com





From: Gary Golomb [mailto:gary () proventsure com]
Sent: Tuesday, November 27, 2007 3:19 PM
To: 'SECURITY () LISTSERV EDUCAUSE EDU'
Subject: Early release - free commercial grade PII/NPI discovery software





Hello there all-



I wanted to let you know Proventsure is releasing a free PII/NPI search
application that does a lot more than just search for sensitive information.
It's extremely user-friendly and actually educates users to the risks of
storing the information discovered on their system (and allows them to take
actions like encrypting, viewing, or removing the files).



No... There's no catch...



More information can be found here:

http://www.proventsure.com/Proventsure%20Free%20PII%20Discovery%20Audit%20an
d%20Management%20Application.html



If you are already a Proventsure customer:

Don't worry - this isn't going to undercut what you have in the enterprise
version. With an enterprise license, the same application will fully
integrate into your enterprise deployment. It will soon replace the current
"USB Single Scan Client" with a completely new suite of functionality you
can leverage - in addition to all the existing custom governance, risk, and
compliance assessment policies the enterprise version supports (including
full custom and/or open source module development). It understands several
different levels of licenses, and will help scan systems in completely
distributed environments - while providing a very unique level of end-user
education/involvement in the information accountability process.



If you would like to access an early version of the application, you can get
it from:

http://www.proventsure.com/Proventsure%20Self%20PII%20Detection.zip





If you want a funny story about the development of this, read on...



Our goal was to make the application as easy as possible to use for normal
non-IT users. With the first version, I figured my dad would be a good test
the see if we accomplished our "ease of use" goals. (He's a sales tax audit
something-or-other. I look at what he does the same way he looks at what I
do... I just don't get it. Anyways, I frequently find myself on the phone
with him doing tech support, if you know what I mean...) I sent him the
software with no instructions - just asked him to run it and give me a call
when it finished. I wanted to see if he could use it start to finish without
any assistance. He called me when it was done. I was so excited that he was
able to use it and find all kinds of things with it... THEN.... The first
question he asked hit me like a ton of bricks. He asked, "It found XYZ, but
so what?"



In other words, we (security and/or audit people) know why storing PII/NPI
on systems is bad -- because it's our fulltime job to know that. The rest of
the user community out there doesn't know the same things we know and why
the threat is more serious than most people realize (they have fulltime jobs
where they are responsible and accountable for other things that most of us
don't fully understand either!). In fact, the average $500 Mil/year
organization is subject to 35 to 40 federal regulations. I have a hard time
finding CISO's that can name even a fraction of those. So it's not limited
to just non-IT people. Once my dad asked the question "So what?" the goals
for the application completely changed - as you'll see.



Anyways, I hope you're able to find it useful.



Happy holidays to everyone on the list! Only a few more weeks until winter
break! J



-Gary







Proventsure's Governance, Risk, and Compliance Platform nominated for the

Most Innovative Technology of the Year Award

By Information Security magazine and the Burton Group

http://infosecurityconference.techtarget.com/conference/



proventsure-c

Gary Golomb

Founder, President

Phone: (800) 916-9211

Cell: (443) 536-5757

Web: http://www.proventsure.com