scanning for sensitive information

["Youngquist, Jason R." <jryoungquist () CCIS EDU>]

We have a project to scan workstations for sensitive information.  It looks like we are going to be purchasing Identity 
Finder with centralized console and workstation licenses.



We are currently working on a data classification policy so we can give guidance to people on what to do with the 
information.



We are probably going to start with installing Identity Finder on 50 machines or less at departments that have 
sensitive information (ie. Accounting, Registration and Financial Services, etc.)



For those of you that implemented Identity Finder with the centralized console, how many hours of professional support 
did you use, and what did your rollout time-line look like?



I've reviewed some Educause presentations and it seems that the biggest recommendations are the following:



*         Project Scope

o   Start with a small group for the first phase

*         Education and awareness

o   Make sure users know why it is important to scan for sensitive information

o   Make it easy for users to discover and correct the issues themselves

o   Come up with a clear process so users know what to do with the sensitive information.

*         Come up with a list of things to scan for

o   SSNs, credit card numbers, bank account numbers, and passwords seem to be the big things.



Would appreciate any thoughts or other lessons learned.







Thanks.

Jason Youngquist, CISSP

Information Technology Security Engineer

Technology Services

Columbia College

1001 Rogers Street, Columbia, MO  65216

(573) 875-7334

jryoungquist () ccis edu<mailto:jryoungquist () ccis edu>

http://www.ccis.edu