Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Excerpt

IdentityFinder is a software suite that can help locate sensitive information such as credit card or social security numbers. UIT has licensed IdentityFinder for all Tufts-owned computers, and encourages the use of IdentityFinder to help locate sensitive information so that it can be protected or removed (if no longer needed).

For more information, check out the rest of the GuardIt online resource. Currently, Tufts uses Identity Finder version 6.06.

About Identity Finder

What is new about this version of Identity Finder?

UIT is rolling out and offering an Identity Finder console version that provides a view of scan results for your entire department, school, or division. As Information Stewards, you can work with your colleagues to determine if you’d like to opt into the system. It is not a required change and UIT will continue to support the individual version that is currently in use.

Why should we opt in?

Manually running Identity Finder on workstations and laptops can be tedious. The new, centralized version enables administrators (Information Stewards or their delegates) to scan multiple computers automatically. The scan can run in the background with negligible performance impact on the user’s computer. This change will make Identity Finder a managed service rather than an individualized effort, reducing risk and making compliance easier and more cost effective.

OK, my department has decided to opt in. Now what?

Since you are interested in switching to the console version of Identity Finder, please contact Ben Walther in UIT for more information. UIT will work with you to deploy the upgrade and promote awareness. We propose a three-week adoption schedule, to allow for time to increase awareness and foster communication. During those first weeks, we’d suggest:

1.       An email to directors and managers about Identity Finder with an opportunity to address concerns and questions

2.       A week later, an email to staff about Identity Finder with an opportunity to address concerns and questions

3.       A week to distribute a follow-up to any concerns or questions that were raised (assuming the issues do not block deployment)

4.       Executing the first scan and communicating results the following week, a month after the initial communication to directors.

UIT suggest running scans monthly for the first quarter. After the initial phase, scans can be performed quarterly.

Will Identity Finder collect or report the sensitive information found to the Information Stewards?

No, Identity Finder will not record actual sensitive information. It will report the location and name of the file as well as what type of data it has found. For example, it will say it has found a social security number in the file “Tax Return 2011.pdf”. This allows Information Stewards or their delegates to report the files holding data without compromising the user’s privacy.

Will the Information Steward be able to view, edit, or delete the sensitive data from other users’ computers?

No, the centralized console will not be able to view, edit, or delete data. The Information Stewards or their delegates must work with the individual end-users to clean up any files.

Can Identity Finder be used on computers using LanDesk?

Yes, it can be deployed automatically on computers which are already running LanDesk. Computers which do not use LanDesk will need to install manually. Normal operation should be invisible to the end-users.

What do the scan results mean?

Results indicate that Identity Finder found numbers that look like social security numbers or financial account information. These are often false positives - numbers that appear similar but are not actual sensitive information. Identity Finder will also report student ID numbers (starting with 991) as social security numbers. While not legally protected, such numbers usually indicate other student records, which may be covered under FERPA.

A scan result does not mean the user violated policy or is in any “trouble.” This exercise is to reduce risk, not audit compliance, and anyone participating is to be commended.

What is Shredding and what will it do to my files?

Shredding will permanently and securely delete the file containing the piece of sensitive information that IdentityFinder has found. It will completely remove the file and you will not be able to recover it. Only use the Shred feature if you do not need the file and will not need to recover that information.

Identity Finder found a file I don’t recognize. Should I shred it?

Consider contacting your Frontline Support Provider or Information Steward before deleting files you do not recognize. IdentityFinder can accidentally flag numbers in files such as Microsoft Word or Windows as sensitive information. Shredding or deleting these files can damage your computer. An FSP or Information Steward can help you to identify these files and remove them from your search results.

Example Use Case of IdentityFinder Console

Example use of the Identity Finder console

You have communicated details on the Identity Finder console and the appropriate stakeholders in your school have agreed to use this service. You have received credentials for the Identity Finder console from UIT and it has defined the group for which you (or a delegate) will be monitoring. Once this set-up work is done you undertake the following periodic work:

1.       It’s been a month since you last reviewed Identity Finder results, so you log into the console to check the recent, updated scan results since last time.

2.       You sort the results by the number of sensitive findings (positive “hits”) per computer. You don’t see the content of the “hits,” just the number of times that Identity Finder thinks it has found sensitive information.

3.       You notice that the distribution of findings is highly clustered around the top 4 machines---everything after those top 4 has only 1-2 results. You decide to focus on only those top 4 users this month.

4.       You see the usernames and file locations of the findings for the top four users, and jot them down.

5.       You personally know three of the users, and give them a brief phone call, explaining why you’re calling and what you see (and assure that you didn’t see what the information actually was). You confirm with the user whether or not the information really is sensitive or not---there are frequently false positives. You might re-iterate that this is not a disciplinary issue, just an effort to reduce accidental risk of exposure.

6.       The last user is an colleague who is not frequently available, so you communicate the status and situation in a ticket to your IT support specialist, requesting that they have the user contact you, or that the user confirm the status of the data on their own remotely.

7.       If you would like to track metrics or results of the Identity Finder effort, you might record the number of hours spent, results (both valid and invalid) reported, and sensitive information removed. Ideally all of these values should decline over time, providing concrete evidence of reduced risk in your department.

Get IdentityFinder For your Tufts computer

...