Educause Security Discussion mailing list archives
Re: Sensitive Information Survey
From: Brad Judy <win-hied () BRADJUDY COM>
Date: Mon, 24 Aug 2009 16:45:27 -0400
I'll echo what Theresa said - one of the major risks with sensitive data is the old files that the user has long forgotten. I highly recommend supplementing any sort of survey with a scanning tool (Spider, SENF, Find_SSN, IdentityFinder, etc). It might be very educational to do both and note the "awareness factor" for your administration. It might be enlightening to see that only x% of people were aware of the sensitive data on their computers. I'll also echo some of my old posts and remind people to test and familiarize themselves with any scanning tool they roll out. Know when it does and does not detect sensitive information. I'd recommend a set of test data that covers known common situations, and includes items that you know will *not* be detected to illustrate the limits of such tools (a jpg screen shot of data, information that is sensitive but not a pattern-match, esoteric file formats, etc). Brad Judy From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Theresa Rowe Sent: Monday, August 24, 2009 4:26 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Sensitive Information Survey We've tried, but we did not get the information we needed to be really successful. We learned quickly that it was more effective to ask "what data do you send off-campus" rather than "what data do you store." They know what they exchange, but they don't know what they've kept. Searches by tool are more effective. Through iterations of buy/update pcs and the gig storage available, it seems that people keep hundreds of files that they no longer remember. Consider the faculty member who had a portable drive with departmental placement test scores tracked by name and social security number, with the newest file 10 years old. Didn't remember it. And even after that was discovered, finding more files on the faculty member's laptop with the same sort of data. Just forgot it was there. We are trying to get the word out to get rid of stuff, but old faculty gradebooks from when SSN was the student number seem to be a big hazard. Theresa On Mon, Aug 24, 2009 at 4:16 PM, Wayne Bullock <wayne () fau edu> wrote: We are working on putting together a user survey with the intent to locate Sensitive or PII information. Mostly, we are looking for users that have downloaded sensitive data from protected systems to their workstations or laptops. We are doing this with the intent to be in position to better audit systems and provide targeted information security training. If you have done this before at your institution would you provide some feedback? Did the survey yield useful results? Sample surveys that you have used in the past would be very welcome. Thank you, --Wayne Wayne Bullock, MSCIS, CCNA Associate Director Communication Services Infrastructure Information Resource Management Florida Atlantic University 777 Glades Road Boca Raton, FL 33431 -- Theresa Rowe Chief Information Officer Oakland University **Think Green - Think before you print.**
Current thread:
- Sensitive Information Survey Wayne Bullock (Aug 24)
- <Possible follow-ups>
- Re: Sensitive Information Survey Theresa Rowe (Aug 24)
- Re: Sensitive Information Survey Brad Judy (Aug 24)
- Re: Sensitive Information Survey Joel Rosenblatt (Aug 24)
- Re: Sensitive Information Survey Chris Green (Aug 25)
- Re: Sensitive Information Survey Basgen, Brian (Aug 25)