Sensitive data locator service
According to University policy, the storing of confidential information on our mobile computer hard drives is discouraged. This is particularly important for information that has been identified as personally identifiable information (PII), i.e., information about people that can be used for identity-theft purposes, such as social security numbers, dates and places of birth, mothers' maiden names, credit card numbers, bank and investment account numbers, drivers' license numbers, passport and visa numbers, tax information, etc.
If such information is exposed, we may be obliged by state, national and international privacy laws to notify any affected individual, the Attorneys General in their home states, the media, and, in some cases, to provide these individuals with credit protection services. Should such an exposure occur, the cost to the University, both financially and reputationally, could be significant. Interestingly, the most common PII stored on systems is associated with the primary user of the computer and his or her family members putting their identities at risk.The sensitive data locator service can help you find PII on your system so you can delete it or ensure that it has appropriate access controls.
Isn't encryption sufficient to protect against PII exposure?
While encryption significantly reduces the risk of data exposure, it is far better to not have PII on your system at all. Why? Because encryption primarily protects against exposure in cases where a malicious individual gains physical possession of the computer. But it cannot protect against attacks facilitated by the exposure of your password, viruses or other malicious software. Additionally, if encryption must be removed from your system because you are traveling to a country that restricts the use of encryption, any PII must be removed to comply with policy and to protect the University's interests.
How can you know whether or not PII is stored on your systems?
OIT provides the Data Scanning service where we can scan your computer's hard drive for PII at your request. This service involves a member of the IT Security team running programs on your system that can identify files and e-mail messages that include data that matches any pre-defined PII format. Once the scan report is produced, each file identified must be visually reviewed with a member of the IT Security team to determine whether of not the data is truly PII or just a number in a similar format. All observations and discussions with the IT Security team during the review process are completely confidential.
Will the scanning process reveal any other information on your system?
The scanning tools are programmed to only look for data that may be PII. They are incapable of reviewing or interpreting activities performed on your system. The reports generated only list the names of the files found along with the specific pieces of data that match a PII format.
How can you request scanning software for your system?
You can obtain scanning software by contacting the OIT Help Desk at 8-4357 (HELP) or by submitting an OPM request to the EIS IT Security queue.
How do I run the scanning software and review the results?
The following can take you from the process of initiating a scan through reviewing and acting upon the resulting scan report.
"Quick Start" Documentation