Educause Security Discussion mailing list archives
Re: Locating Personally Identifiable Information
From: Gary Flynn <flynngn () JMU EDU>
Date: Tue, 12 Feb 2008 12:20:34 -0500
David, Elaine wrote:
At the University of Connecticut we are looking to deploy software for locating personally identifiable information such as social security numbers, credit card numbers, etc. in our efforts to help us manage and protect sensitive data. We have identified several products that we have tested for functionality, among them: Cornell's Spider Forensic Tool, Velosecure's Identity Finder, and Proventsure's Self PII Detection. I am interested in learning whether other institutions have implemented a tool for identifying/locating sensitive information, and if so: (1) Which tool are they using?
We just purchased Proventure's Asarium product for our Windows desktops.
(2) How is the tool being deployed? E.g. Do you just make it available for use by your staff? Do you have support staff who run the tool for individuals who request it or can individuals run it themselves? Is it mandatory or voluntary to use the tool?
We rolled it out as a centrally managed service to Windows desktops in the IT department as part of the evaluation process. We plan on rolling it out to other campus departments a little at a time in a similar fashion. In fact, several of them are pushing us for it. The product also has a self service component with both local and central reporting capabilities that we plan to make available. We'll adjust the exact mix as we gain more reporting and mitigation experience with outside areas. We're using Cornell Spider for non-Windows servers. We do not have a formal plan for addressing non-Windows desktops yet though Spider would probably be the logical choice for us. One of the things to keep in mind about a centralized, agent based product that runs as a system service is that it will only be able to search things it has credentials for. Things like EFS encrypted files, Outlook PST files, and network drives will only be accessible to specific authenticated accounts which may necessitate multiple runs, a mixture of central and standalone scanning, central scanning of network storage, and/or other procedural adjustments. -- Gary Flynn Security Engineer James Madison University www.jmu.edu/computing/security
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- Locating Personally Identifiable Information David, Elaine (Feb 12)
- <Possible follow-ups>
- Re: Locating Personally Identifiable Information Theresa Semmens (Feb 12)
- Re: Locating Personally Identifiable Information Doug Markiewicz (Feb 12)
- Re: Locating Personally Identifiable Information Brad Judy (Feb 12)
- Re: Locating Personally Identifiable Information Charles Young (Feb 12)
- Re: Locating Personally Identifiable Information Gary Flynn (Feb 12)