Re: Identity Finder

["Peterman, Martin (mdp4s)" <mdp4s () VIRGINIA EDU>]

BTW the Identity Finder results can be sorted by the number of matches per file (PC only).  This can be done by the 
user.  When done, the files with the most SSN appear at the top of the report.  From a risk perspective, it's best to 
remediate the most first.

Thanks,
Marty






Marty Peterman, CISSP                                       
peterman () virginia edu
Information Security Analyst
Information Security, Policy, and Records Office (ISPRO)
Office of the Vice President/CIO
University of Virginia, 2400 Old Ivy Rd.                 Phone  434.243.4909
Box 400898, Charlottesville, VA 22904-4898               Fax    434.243.9197
http://www.itc.virginia.edu/security/    


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of David 
Escalante
Sent: Friday, December 18, 2009 10:16 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Identity Finder

Flynn, Gerald wrote:
> > Read the Identity Finder manual and understand how individual 
> > settings impact what is found in a scan.  Understanding how to govern 
> > false positives is important for the remediation of the report.
> >     
>
> Can a lay person sort the grain from the chaff?
>   
This is a great question.  In terms of knowing whether something is a false positive or not, our experience is "yes, a 
lay person can figure it out."  The bigger problem we've run into is the person knowing how to navigate the file system 
or IMAP/Outlook local folders/files to properly get rid of the data, NOT the person figuring out if the scan results 
are legit.
> How time consuming is it?
>   
The trite but true answer is, "It depends on how many results there are 
in the scan, and how you approach remediation."  I could give detailed 
examples, but I don't wish to on a public listserv.  So instead let me 
cite an example from Randy's earlier message -- if you have some 
mechanism for throwing all the positives into an encrypted area and 
dealing with them later, then it might not take much time at all.  If 
you have 1,000+ results (yes, this does happen) that you wish to go 
through individually, then obviously it can be a huge time sink.  The 
remediation part needs management to be successful -- running the scans 
is just a technical task.  Figuring out what to DO with the data that's 
flagged is a management problem.
> The time to do data analysis and false positive elimination
> prevents us from rolling out our current product to a wider
> audience. We're doing all the analysis ourselves at this
> point rather than the end user or department and it's a
> significant labor expenditure.
>   
The approach we're taking is to point Identity Finder (Windows) at a 
central configuration file on a server.  When a user reports a false 
positive, we investigate, and if it seems like a legit false positive 
that will affect multiple users, we adjust the configuration (and our 
custom reporting tool, sometimes) as needed to ensure that other users 
won't see, and complain about, that same false positive.  This is more 
of a collaborative approach to the issue, sort of "You help us by 
reporting problems, we'll help you by propagating fixes."  Spreads the 
labor around.
--
David Escalante
Boston College