Search Information Security site

 

Procedures on the Use of Data Loss Prevent (DLP) Tools

Table of Contents

1.  Purpose and Background
2.  Procedures 
     a) Installing and Using the Identity Finder on an Unmanaged Individual Client
     b) Using the Identity Finder on a Managed Individual Client (Preferred)
     c) Using the Identity Finder Management Console
3.  Definitions
4.  Related Links
5.  Further Guidance
6.  Exceptions

[Return to Library]

1. Purpose and Background

The University of Virginia is strongly committed to maintaining the privacy and security of confidential personal information and other highly sensitive data it collects. It expects all those who store such information to treat these data with the utmost care. There are various University policies, federal and state laws and regulations, and contractual obligations that govern how such data must be protected.  The risk of unauthorized disclosure of HSD is very high when such data are stored on individual-use electronic devices and media, since these items are easily stolen.  The University provides software to help prevent identity theft by locating personally identifiable information, in the form of Social Security Numbers (SSNs), credit card numbers, and other sensitive information, that is stored on electronic devices or media. Such data are defined as highly sensitive data by the Data Protection of University Information (IRM-003) policy.

These procedures apply to all non-student users and departments of the University, including the Academic Division, Medical Center, College at Wise, and University-related Foundations. 

Currently, the software provided for scanning for PII is Identity Finder.  Individuals and departments at UVA must use Identity Finder to help them find and, where possible, remove such PII, if appropriate approvals have not been granted for the storage of these data.  Identity Finder software also enables departments to keep an accurate inventory of all SSN data stored on laptops, desktop computers, servers, and other media (CDs, DVDs, tape backups, USB thumb drives, etc.), that has been approved as required by the Data Protection of University Information (IRM-003) policy, and the Highly Sensitive Data Protection Standard and Highly Sensitive Data Protection Procedures.

All non-student users must perform scans at least quarterly on any electronic device or media that may store University data, whether owned by an individual or the University.   If users are approved to store highly sensitive data on individual use devices or media, Identity Finder (or equivalent) must be run on all storage areas at least quarterly, and any HSD found on unapproved storage areas must be remediated immediately, as stipulated in the Highly Sensitive Data Protection Standard.  Departments may set more specific guidelines for faculty and staff.

It is recommended that users, especially who job duties include handling HSD, acquire the managed client version of the Identity Finder software to automate scanning and remediation tasks as well as provide a log of these activities.

[Table of Contents]

2. Procedures for Locating Highly Sensitive Data

Installing and Using the Identity Finder on an Unmanaged Individual Client

Download the Identity Finder installer software: Non-student users running Identity Finder on an unmanaged client (computer that does not have Identity Finder installed and managed by the Identity Finder Management console) must download and install the software by first logging in with NetBadge, selecting the correct version of Identity Finder for  your computer (Windows or Macintosh), and following the prompts.

In order to respond to audit requests and/or forensic investigations involving HSD, departments must demonstrate compliance with scan and remediation requirements referenced above.  Therefore non-student users must be able to provide the following documentation for every scan completed: 1) the date of the scan, 2) the user performing the scan, and 3) the actions taken to remediate any identified highly sensitive data (HSD) that was not in an approved storage location.

Department management must review the documentation to ensure scans are properly completed on the required schedule.  These requirements are mostly easily met by using the Management Console (managed client) version of Identity Finder. Departments are strongly encouraged to make use of the Identity Finder Management Console.

When users run their periodic scans, they must print or save their initial scan results (making sure not to display the full details of any highly sensitive data).  If remediation is required, they can re-run the scan following remediation and print or save the “clean” scan results.  Any printouts or saved reports should be signed and dated and kept for future audit or security reviews.  These reports can be kept in either electronic or printed form, in a secure area as they are classified as Moderately Sensitive Data.  These reports MUST NOT contain the details  (e.g., the SSN) of any HSD found in the scan.  Department management must periodically review these documents to confirm that both scanning and remediation have been completed.

Using the Identity Finder on a Managed Individual Client (Preferred)

Non-student users running Identity Finder on a managed client (computer that has Identity Finder installed and managed by the Identity Finder Management console) do not need to download the software or document the date of scan, the user performing the scan, or any actions taken to remediate identified HSD that was not in an approved storage location.  Nor is there a need for department management to review the documentation to ensure that scans are completed on the required schedule.  These processes are done automatically by the central management console, thereby fulfilling the requirement for documentation of quarterly scans and any necessary remediation.

Using the Identity Finder Management Console

The Identity Finder Management Console enables departments to keep an accurate inventory of all HSD data stored on electronic devices and media, including laptops, desktop computers, servers, and CDs, DVDs, tape backups, USB thumb drives, etc. as required by the Data Protection of University Information (IRM-003) policy, and the Highly Sensitive Data Protection Standard and Highly Sensitive Data Protection Procedures.

The Identity Finder Management Console has two parts: client software installed on the UVA computer and a server that collects the completed reports.  In order to use the Identity Finder Managed Individual Client and Management Console, the department must designate an LSP or person with like responsibilities to manage the installation and operation of the Identity Finder Client software and Management Console and approve this person's access to the JointVPN.  Typically the department head/chair or designee provides these approvals.   Email it-security@virginia.edu to request access.

Once approved, the LSP designee must obtain a UVA Identity Token and access to the JointVPN and complete introductory console training provided by the Information Security office.

The Identity Finder Management Console offers several benefits to UVA departments:

  • Evidence that scans have been completed
  • Management awareness of highly sensitive data
  • Easier remediation
  • Automated scanning and remediation reports
  • Centralized departmental management of scans
  • Reduced false positives

[Table of Contents]

3. Definitions

For a comprehensive list of the definitions found in the Acceptable Use, Data Protection, Information Security, and Privacy & Confidentiality policies, please click here.

[Table of Contents]

4. Related Links

[Table of Contents]

5. Further Guidance

[Table of Contents]

6. Exceptions

If you think you need to request an exception to these requirements, please refer to the Exceptions Process.

[Table of Contents]

APPROVER: Chief Information Security Officer

Report an Information
Security Incident

Please report any level of incident, no matter how small. The Information
Security Office will evaluate the report and provide a full investigation.

Complete Report Form