Identity Finder FAQ for Faculty

25 03 2014

[Note: Significant updates made on 2014-05-13, 2014-05-07, and 2014-04-24. Updates on scheduling and encryption on 2014-07-02.]

Back in April 2013, IT Services Director Jim Franceschelli and Information Security Director Adam Edwards came to TAG with a proposal to automate Identity Finder scans on faculty desktop computers. In June 2013, the President’s Cabinet approved the use of automated scans with Identity Finder on University-owned desktops as part of an overall Information Security Data Loss Prevention program. Then-CIO Jerry DeSanto sent an email announcement about the program to all faculty and staff on June 21, 2013, projecting implementation in December 2013.

Since then, Information Security has been working with TAG to pilot test the scans and try to smooth the process as much as possible for faculty. Automated scans have already started for staff, and Information Security would like to move forward with implementation for faculty machines. Currently, automated scans are scheduled to begin on August 1, 2014. Here’s what faculty need to know:

Why is the University doing this?

  • Data security is serious business for higher ed — we have ethical, legal, and financial obligations to protect the personally identifiable information that we have collected from students, faculty, staff, human subjects, etc.
  • If your computer or external media contracts a computer virus, is lost, stolen, or broken into over the network, files containing restricted information are at risk for theft. This information can be used to steal not only your money and identity, but also the money and identities of anyone else who either shares your computer or whose restricted information you store.
  • If you store restricted information for University work, the University would be obligated under state law to notify everyone affected by the breach and could potentially be legally liable.

Does this benefit me at all?

  • Identity Finder can help you protect yourself — use it to search for sensitive, unprotected information on your computer and then take an action (Shred, Scrub, Secure, Quarantine, etc) to secure that information. (Personally, an Identity Finder scan I ran on my machine found old documents containing my SSN that I had stored unencrypted in Google Drive… not smart.)
  • If your computer gets a virus, IT Services can clean and return it to you much more quickly and easily if they have a recent Identity Finder report for your machine.

What is Identity Finder?

  • Identity Finder is security software that scans your (Windows) computer for sensitive, unsecured Personally Identifiable Information (PII) stored in unprotected files.
  • If you run a scan on your machine, Identity Finder will give you a report showing what it found and where. It then gives you options to take action – you can shred the file, scrub (redact) information, secure the file, or move it to a quarantined location. You can also ignore false positives.
  • It works by looking for patterns – for example, a nine-digit number in the pattern ###-##-#### would be picked up as a possible Social Security number. If it picks up something that looks like a Social Security number but isn’t (a false positive), you can tell it to Ignore that result.
  • Identity Finder has been installed on all University Windows machines (via KBOX) since about 2009.

What kind of sensitive/restricted information are we talking about?

  • Restricted information is any piece of information which can potentially be used to uniquely identify, contact, or locate a single person. Restricted information is generally regulated by law or contract and often used for financial, medical, or research identification. (See the Information Classification Policy for additional info.)
  • Identity Finder looks for most types of Personal Identifying Information:
    • Bank Account Numbers
    • Credit Card Numbers
    • Dates of Birth
    • Driver’s Licenses
    • Passwords
    • Passport numbers
    • Social Security Numbers
  • Identity Finder is NOT looking for:
    • Email addresses
    • Mother’s maiden name
    • Personal addresses
    • Phone numbers
    • United Kingdom National Heath Service Numbers, United Kingdom National Insurance Numbers, Canada Social Insurance Numbers, Australia Tax File Numbers
  • If you’d like to get a better understanding of what kind of information Identity Finder picks up, you can run a non-scheduled Identity Finder scan on your machine whenever you’d like.

What are automated scans? 

  • Right now, Identity Finder only scans your machine when you tell it to.
  • Information Security and IT Services plans to run weekly, automated Identity Finder scans (see the proposal for details) on all University (Windows) computers. The idea is that every Friday at noon, all University computers will automatically initiate an Identity Finder scan.

Where is Identity Finder looking? What folders/locations are scanned?

  • Automated scans include:
    • Local filesystems (like your C: drive) and local registry
    • Browsers
    • Attached devices
    • Email —  If you use a local email client (e.g. Outlook or Thunderbird), Identity Finder will scan through your mailboxes that are cached on your computer, however, if you mainly use OWA or other method through a browser, you don’t have a local cached copy, and Identity Finder won’t be able to scan it.
  • Scans do not include the R: drive or most other remote connections.
  • If you’d like to get a better understanding of what the automated scans will include, you can run a non-scheduled Identity Finder scan on your machine whenever you’d like.

What if I have sensitive/restricted/confidential information saved on my computer?  Like confidential human subject research data or client files?

  • ANY sensitive/restricted/confidential information that you are storing ANYWHERE should be encrypted! Without encryption, your data is vulnerable to attack, misuse, and all sorts of other bad things.
  • Information Security recommends using TrueCrypt (which is free and open source) to encrypt your data. Scott Finlon in Information Security wrote up some brief  instructions (PDF) for encrypting a folder of files using TrueCrypt. Update 2014-07-02: Support for TrueCrypt was discontinued in 2014-05, so Information Security now recommends using 7Zip – see instructions (.docx).
  • Information Security has been in ongoing conversations with the IRB about ensuring confidentiality of human subject research data and client files. Members of the IRB had expressed concerns that Identity Finder scans would violate the confidentiality of human subject data. The good news is that data encryption resolves this concern — encryption protects sensitive data from Identity Finder scans as well as from external malicious attacks.
  • Please contact Information Security if you have any questions about protecting confidential data.

How long do the scans take? Will this affect my computer or my work?

  • Identity Finder scans can take several hours if you have a large number of documents.
  • Thankfully, Identity Finder uses a search history to keep track of what files do and do not have matches. Because of this, the initial scan is much slower than subsequent scans, as it has to scan your entire hard drive. Each subsequent scan will only look at new files, changed files, and files that previously reported matches.
  • TAG members have been piloting automated scans since September 19, 2013. We ran our own scans first, and these often took quite a while. After the initial scan, however, subsequent automated scans have been speedy. So far, none of us have experienced any performance issues – the scans are essentially invisible to the user.

My computer went to sleep during the scan. What happens now? Can Identity Finder wake my computer up to scan?

  • Identity Finder scheduled scans are set locally, so they will only be invoked while the computer is on and running — they can’t wake up your computer.

What if I’m not on campus on Fridays and my desktop machine is turned off? What if I’m not on campus on Fridays but am using my laptop? 

  • Automated scans are currently scheduled in batch for Fridays at noon. They will run as long as your computer is turned on – whether or not you’re on campus (or on the University network).
  • If you are offline, the scan will run as scheduled. The report will be sent to Information Security once you reconnect to a network.
  • If your computer is turned off at 12pm on Friday (that is, if the scheduled scan is missed), it will begin with a randomized start time between 30 minutes and 120 minutes after the computer is back up and running.

What happens after the scan is done?

  • When the scan is done, Information Security will get a report from Identity Finder indicating the level of risk for that machine. The report includes the number of hits, but NOT the actual information that was marked as potentially sensitive – that is redacted. The reports show only a masked version of a potentially problematic file and the location where it was found. Reports are only viewable by the Information Security Director (Adam Edwards) and the Information Security Engineer (Scott Finlon).
  • Based off of these reports, Information Security then works one-on-one with users, recommending that users delete the files (if they’re no longer needed) or move them to a more secure, encrypted location. (Adam said that he is working with staff with the most risk first — e.g., people with 1,000 hits or more.)

What if I have a Mac or Linux machine? 

  • Automated Identity Finder scans will only run on Windows machines.

When is this happening?

  • Automated scans are scheduled to begin on University-provided faculty desktop machines on August 1, 2014. (Information Security Officer Adam Edwards sent out a notification to all faculty on May 28, 2014 and a reminder on June 30, 2014).
  • Automated Identity Finder scans are already running on staff machines (and on TAG members’ machines).

What should I do to prepare?

Questions or concerns?

 


Comments : Leave a Comment »
Tags: , , , , ,
Categories : Announcements, Security

TAG Meeting 10/3/2012

8 11 2012

On October 3, TAG held its second Fall 2012 meeting.  [Yes, that was more than a month ago — many apologies for taking so long to post the meeting notes!]

1. Departmental Websites and the CMS

We’ve been discussing departmental websites for quite a while.  Lori Nidoh (PR) brought us some analytics from the University website (June 2012 – September 2012, all excluding internal traffic) to give us a better idea of how these pages are being used:

  • The Undergraduate Programs page is the 5th most visited page on the University website – after the home page, HR vacancy list, HR home page, and Admissions home page. (report)
  • From the Admissions home page, the Undergraduate Programs page is #5 on the list of what pages users visit next – indicating that prospective students are indeed looking at departmental web pages. (report)
  • This spreadsheet shows the most heavily visited scranton.edu/academics/ pages.
  • Lori broke out additional analytics on a few department and program pages to give us a sense of how they are used: Biology, OT, PT, and Pre-Med.

We continued to discuss options for how to keep departmental pages up-to-date. Eugeniu noted that the CTLE TechCons help faculty members with their personal websites, but that access and permissions in the CMS (content management system) are an issue for departmental pages – a department wouldn’t necessarily want to grant publishing rights to a student who is editing their page, but it’s hard to catch quirks and mistakes if you can’t publish and review your recent edits. Lori asked that any observed CMS quirks be reported to PR.

Jeremy will be convening a group of interested faculty to discuss this concern in more detail offline. The group will outline a proposal for how departmental websites could best be maintained,  in collaboration with staff from Public Relations and Academic Affairs. Teresa Conte (Nursing), Katie Iacocca (OIM), Kevin Wilkerson (CHS), and Sandy Pesavento (Education) volunteered to participate, but any interested faculty (especially those with experience using the CMS) can join the discussion.

2. FERPA Considerations for Cloud Computing

Kristen asked for input on what cloud computing tools faculty are currently using and how those tools are being used for instruction. She noted the distinction between “internal cloud” services (e.g., Royal Drive, Angel) versus “external cloud” services (Gmail, Dropbox, etc).

Kristen will meet with IR staff from the Information Security office to nail down specifics on what faculty can and can’t do with these cloud tools in order to comply with FERPA regulations (see previous FERPA post for details).

3. Faculty Input on the IT Tactical Plan

Over the summer, TAG was asked by IR to respond to a number of technology questions posed by Jerry DeSanto, VP/CIO. Planning and Information Resources is in the process of creating their 3-5 year IT Tactical Plan, and the questions were targeted at the expected needs of the faculty in the coming years:

  • How can IT better support faculty research?
  • Given the influx of new, younger faculty what kinds of technology needs/support do you anticipate they are going to need?
  • How do you see the classroom experience changing over the next several years, and how can IT assist in this evolution?
  • What new academic programs do you see developing over the next five years, and how can IT help?
  • With the President’s stated intentions about the University and globalization, how do you see this playing out with web-based education, study abroad, and perhaps the development of satellite campuses in other parts of the globe?

Jerry asked for feedback by November 1 such that faculty input could be incorporated into IR planning. Jeremy asked the group how TAG would like to gather faculty input. We decided on a two-pronged approach – a brief survey sent to all faculty, and a more detailed response from TAG members. [Update – see the results in Jeremy’s 2012-11-05 post, Feedback Regarding the IT Tactical Plan.]


Comments : Leave a Comment »
Tags: , , , , , , ,
Categories : CMS and University Website, Minutes, Security, TAG Administrative

IMAC Meeting Minutes, 10/9/2012

16 10 2012

On October 9, 2012, Jeremy Sepinsky attended the Information Management Advisory Committee (IMAC) meeting. There were a number of issues brought up that may be of relevance to TAG.

  • The Cloud Computing Guidelines were brought before the cabinet, who requested a list of IR-support cloud computing services be added. These guidelines were distributed to the university faculty on October 11.
  • The search for a new Director of Information Security is underway.
  • Guidelines for Remote Access to university computers are resources are being prepared. These guidelines will serve, in much the same way as the Cloud Computing Guidelines, as a resource to help faculty and staff safely access computing and data resources of the university while not on campus. There are a number of concerns when restricted or confidential data is stored or broadcast off-campus. The Privacy and Confidentiality Policy as well as the Data Classification Policy outlines how we must treat such confidential data. We will provide a draft of the document when one is available for sharing.

Comments : Leave a Comment »
Tags: , , ,
Categories : Minutes

FERPA considerations for cloud services

11 09 2012

I sat in on today’s meeting of IMAC (the Information Management Advisory Committee) on behalf of TAG. There were two major items discussed – a revision to the Records Management & Retention Policy (which I don’t think will have much direct impact on faculty) and a set of Guidelines for the Use of Cloud Computing Services.

The Guidelines are not policy – the document just list some of the concerns and considerations faculty and staff should be aware of when signing up for cloud services like Gmail, Google Docs, Dropbox, Facebook, Twitter, Pinterest, PayPal, etc.

The Guidelines are currently in draft format, so I’ve been asked not to distribute them outside of TAG. Non-TAG members, the new Guidelines will be sent out in 3-4 weeks, but in the meantime take a look at former Information Security Officer Tony Maszeroski’s Guidance on the Use of Cloud Applications by Individuals – the new Guidelines are similar in content.

One of the major concerns with using cloud services for University-related work (like teaching) is that it introduces all sorts of privacy and security issues. Almost all student information, like grades, transcripts, class lists, etc, is classified as restricted or confidential (see the Information Classification Policy) due to FERPA.

Classified or restricted information should not be stored or transferred on non-University systems, so faculty need to be very aware of what information we’re sharing with what third parties. If you’re using cloud tools or social media as part of your class or lab, you need to be very conscious of any potential privacy violations, and be upfront with students about the terms of service.

(See EDUCAUSE’s 2010 report on Privacy Considerations in Cloud-Based Teaching and Learning Environments. Colorado Community Colleges Online has posted some scenarios relating to respecting FERPA in an online classroom.)

I don’t think this is an issue that most faculty are very aware of, and I’d like to get a sense of how TAG can help faculty sort out these considerations in their classes. So let me know what you think – What questions do you have? What resources or references would be useful?


Comments : 5 Comments »
Tags: , , , , , , , ,
Categories : Announcements, Online courses, Security