Educause Security Discussion mailing list archives

Re: Locating Personally Identifiable Information

From: Gary Flynn <flynngn () JMU EDU>
Date: Tue, 12 Feb 2008 12:20:34 -0500

David, Elaine wrote:

At the University of Connecticut we are looking to deploy software for
locating personally identifiable information such as social security
numbers, credit card numbers, etc. in our efforts to help us manage and
protect sensitive data.

We have identified several products that we have tested for
functionality, among them: Cornell's Spider Forensic Tool, Velosecure's
Identity Finder, and Proventsure's Self PII Detection.

I am interested in learning whether other institutions have implemented
a tool for identifying/locating sensitive information, and if so:
(1) Which tool are they using?


We just purchased Proventure's Asarium product for our Windows desktops.

(2) How is the tool being deployed? E.g. Do you just make it available
for use by your staff? Do you have support staff who run the tool for
individuals who request it or can individuals run it themselves?  Is it
mandatory or voluntary to use the tool?


We rolled it out as a centrally managed service to Windows desktops
in the IT department as part of the evaluation process. We plan on
rolling it out to other campus departments a little at a time in a
similar fashion. In fact, several of them are pushing us for it. The
product also has a self service component with both local and central
reporting capabilities that we plan to make available. We'll adjust
the exact mix as we gain more reporting and mitigation experience
with outside areas.

We're using Cornell Spider for non-Windows servers. We do not have
a formal plan for addressing non-Windows desktops yet though Spider
would probably be the logical choice for us.

One of the things to keep in mind about a centralized, agent based
product that runs as a system service is that it will only be able
to search things it has credentials for. Things like EFS encrypted
files, Outlook PST files, and network drives will only be accessible
to specific authenticated accounts which may necessitate multiple
runs, a mixture of central and standalone scanning, central
scanning of network storage, and/or other procedural adjustments.



--
Gary Flynn
Security Engineer
James Madison University
www.jmu.edu/computing/security

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Current thread:

Locating Personally Identifiable Information David, Elaine (Feb 12)
- <Possible follow-ups>
- Re: Locating Personally Identifiable Information Theresa Semmens (Feb 12)
- Re: Locating Personally Identifiable Information Doug Markiewicz (Feb 12)
- Re: Locating Personally Identifiable Information Brad Judy (Feb 12)
- Re: Locating Personally Identifiable Information Charles Young (Feb 12)
- Re: Locating Personally Identifiable Information Gary Flynn (Feb 12)