APPROVED: DLP Quarterly Scanning Requirement Exception Request (EXCEPT0000200)
This exception rescinds the quarterly scanning requirement for six months while Information Security explores alternatives to Data Loss Prevention (DLP) Highly Sensitive Data (HSD) scanning tools.
This exception only applies to new installations. Devices that already have Identity Finder (IDF) or other DLP software installed and running are required to continue to perform quarterly scans and remediate any HSD found, per the UDPS.
As of November 13, 2020, this exception request (EXCEPT0000200) has been reviewed by UVA Information Security and approved by the appropriate parties described at http://security.virginia.edu/exceptions for Medium Risk exception requests. The approval for EXCEPT0000200 will remain valid until the date May 12, 2021.
Please remember that this exception request is approved with the following controls implemented concurrently with the permitted exception.
Policy: Data Protection of University Information (IRM-003)
Standards: University Data Protection for Individual-Use Electronic Devices or Media Standard and the University Data Protection Standard (UDPS)
Procedures: Procedures on the Use of Data Loss Prevention (DLP) Tools and Highly Sensitive Data Protection Procedures for Individual-Use Electronic Devices or Media
Recommended Duration: 6 Months
Risk Level: Medium
Affected Systems and Data: All "shared devices" (aka servers) and "individual-use devices" (aka laptops, thumb drives) that store or transmit University data.
In multiple standards and procedures - the UDPS table for "shared devices" (aka servers) and UDPS table for "individual-use devices" (aka laptops, thumb drives), the "HSD Protection for Individual-Use Devices standard" as well as the "Procedures on the Use of DLP Tools" and "Highly Sensitive Data Protection Procedures for Individual-Use Electronic Devices or Media"
- it is required to do quarterly scanning for HSD on those devices that are not approved for the storage of HSD. These standards require the use of Identity Finder (aka Spirion or IDF) for this scanning.
We thought that a new tool, ForcePoint, that was being tested, would replace Identity Finder (IDF). It did not work well. Information Security is exploring other avenues for security of HSD. This exception rescinds the quarterly scanning requirement for six months while we explore alternatives to DLP HSD scanning tools.
This exception only applies to new installations. Devices that already have IDF or other DLP software installed and running are required to continue to perform quarterly scans and remediate any HSD found, per the UDPS.
Compensating Controls: Approval granted with the following controls -
- If IDF or other non-IDF DLP software is in use by a business unit, then the business unit should continue to perform scans. This exception request should have no bearing on such activities.
- Information security strongly recommends whole disk encryption be deployed on all laptops within business units whose users are accessing HSD.
- In addition, DLP for ITS-managed Office 365 services are deployed in these specific cases: ITS O365 emails sent and received, OneDrive new file upload or file ownership transfer, and SharePoint new file upload or file ownership transfer. This means that some of the most frequently and commonly used methods of data loss are being scanned.
If these controls cannot be met please email it- firstname.lastname@example.org immediately. Please note that InfoSec may terminate this exception at any time.