SPI/PII detection implimentation?

["Schoenefeld, Keith P." <Keith_Schoenefeld () BAYLOR EDU>]

I appreciate your time, if you respond directly to me I will summarize back to the list:

We are considering how best to detect and properly mitigate sensitive personal information (SPI) and personally 
identifiable information (PII) on our campus.  In so doing, we are curious how other institutions are currently 
managing this process.

1) Is software being deployed to endpoints, and if so is the installation voluntary, mandatory on some systems (if so, 
how were those systems selected), or mandatory on all systems?

2) How is the software installed on endpoints?

3) Are all scans initiated by the end user, is there a mix of user-initiated and automated (scheduled) scanning, or are 
all scans automated (scheduled)?

4) What kind of centralized reporting (if any) is leveraged?

5) Do you have a documented and published (at least to faculty/staff) SOP for dealing with data that is identified?

-- KS

Keith Schoenefeld
Information Security Analyst
Baylor University