Re: Sensitive Information Survey

[Brad Judy <win-hied () BRADJUDY COM>]

I'll echo what Theresa said - one of the major risks with sensitive data is
the old files that the user has long forgotten.  I highly recommend
supplementing any sort of survey with a scanning tool (Spider, SENF,
Find_SSN, IdentityFinder, etc).  It might be very educational to do both and
note the "awareness factor" for your administration.  It might be
enlightening to see that only x% of people were aware of the sensitive data
on their computers.



I'll also echo some of my old posts and remind people to test and
familiarize themselves with any scanning tool they roll out.  Know when it
does and does not detect sensitive information.  I'd recommend a set of test
data that covers known common situations, and includes items that you know
will *not* be detected to illustrate the limits of such tools (a jpg screen
shot of data, information that is sensitive but not a pattern-match,
esoteric file formats, etc).



Brad Judy



From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Theresa Rowe
Sent: Monday, August 24, 2009 4:26 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Sensitive Information Survey



We've tried, but we did not get the information we needed to be really
successful.  We learned quickly that it was more effective to ask "what data
do you send off-campus" rather than "what data do you store."   They know
what they exchange, but they don't know what they've kept.  Searches by tool
are more effective.

Through iterations of buy/update pcs and the gig storage available, it seems
that people keep hundreds of files that they no longer remember.

Consider the faculty member who had a portable drive with departmental
placement test scores tracked by name and social security number, with the
newest file 10 years old.  Didn't remember it.

And even after that was discovered, finding more files on the faculty
member's laptop with the same sort of data.  Just forgot it was there.

We are trying to get the word out to get rid of stuff, but old faculty
gradebooks from when SSN was the student number seem to be a big hazard.

Theresa

On Mon, Aug 24, 2009 at 4:16 PM, Wayne Bullock <wayne () fau edu> wrote:

We are working on putting together a user survey with the intent to locate
Sensitive or PII information. Mostly, we are looking for users that have
downloaded sensitive data from protected systems to their workstations or
laptops.



We are doing this with the intent to be in position to better audit systems
and provide targeted information security training.



If you have done this before at your institution would you provide some
feedback? Did the survey yield useful results? Sample surveys that you have
used in the past would be very welcome.



Thank you,



            --Wayne



Wayne Bullock, MSCIS, CCNA
Associate Director

Communication Services Infrastructure

Information Resource Management
Florida Atlantic University
777 Glades Road
Boca Raton, FL 33431







--
Theresa Rowe
Chief Information Officer
Oakland University
**Think Green - Think before you print.**