Educause Security Discussion mailing list archives

Re: Sensitive Information Survey

From: "Basgen, Brian" <bbasgen () PIMA EDU>
Date: Tue, 25 Aug 2009 12:57:54 -0700

 Keep in mind that the key component of your effort is a risk-based focus. Addressing any particular gap can be very 
time consuming, thus it is important to focus on the biggest risks first.

 For example, our institution (3300 staff/faculty) has an enormous number of protected information eddies. It is 
actually pretty challenging to find a department at any of our colleges that doesn't have protected information of some 
form. A portion of the time, just having the discussion about identifying confidential information will result in risk 
mitigation. 

~~~~~~~~~~~~~~~~~~
Brian Basgen
Information Security
Pima Community College
Office: 520-206-4873

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Chris 
Green
Sent: Tuesday, August 25, 2009 12:49 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Sensitive Information Survey

We haven't done a survey but from other incidents, I've learned you need to ask the exact same question 15 ways ;-)

A no on #1 - #3 doesn't mean no all the way down the line.   It's just that people don't think in these terms.

1) Do you have any sensitive information?  
2) Do you have any personally identifiable information?
3) Do you have any credit card numbers?
4) Do you have any research data?
5) Do you have any medical records?
6) Do you have any student data such as grades, tests, financial aid information?
7) Do you have any employment records such as

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Wayne 
Bullock
Sent: Monday, August 24, 2009 3:16 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Sensitive Information Survey

We are working on putting together a user survey with the intent to locate Sensitive or PII information. Mostly, we are 
looking for users that have downloaded sensitive data from protected systems to their workstations or laptops.

We are doing this with the intent to be in position to better audit systems and provide targeted information security 
training.

If you have done this before at your institution would you provide some feedback? Did the survey yield useful results? 
Sample surveys that you have used in the past would be very welcome.

Thank you,

            --Wayne

Wayne Bullock, MSCIS, CCNA
Associate Director 
Communication Services Infrastructure
Information Resource Management 
Florida Atlantic University 
777 Glades Road
Boca Raton, FL 33431

Current thread:

Sensitive Information Survey Wayne Bullock (Aug 24)
- <Possible follow-ups>
- Re: Sensitive Information Survey Theresa Rowe (Aug 24)
- Re: Sensitive Information Survey Brad Judy (Aug 24)
- Re: Sensitive Information Survey Joel Rosenblatt (Aug 24)
- Re: Sensitive Information Survey Chris Green (Aug 25)
- Re: Sensitive Information Survey Basgen, Brian (Aug 25)