DLP Scanning Exception (EXCEPT0000230)

APPROVED: DLP Quarterly Scanning Requirement Exception Request (EXCEPT0000230)

This exception rescinds the quarterly scanning requirement for six months while Information Security explores alternatives to Data Loss Prevention (DLP) Highly Sensitive Data (HSD) scanning tools. 
This exception only applies to new installations. Devices that already have Identity Finder (IDF) or other DLP software installed and running are required to continue to perform quarterly scans and remediate any HSD found, per the UDPS.

As of June 2, 2021, this exception request (EXCEPT0000230) has been reviewed by UVA Information Security and approved by the appropriate parties described at http://security.virginia.edu/exceptions for High Risk exception requests.  The approval for EXCEPT0000230 will remain valid until November 29, 2021.
Please remember that this exception request is approved with the following controls implemented concurrently with the permitted exception.

Policy: Data Protection of University Information (IRM-003)
Standards: University Data Protection for Individual-Use Electronic Devices or Media Standard and the University Data Protection Standard (UDPS)
Procedures: None 
Recommended Duration: 6 Months 
Risk Level: Medium

Affected Systems and Data: All "shared devices" (aka servers) and "individual-use devices" (aka laptops, thumb drives) that store or transmit University data.

Request:

In multiple standards - the UDPS table for "shared devices" (aka servers) and UDPS table for "individual-use devices" (aka laptops, thumb drives), the "HSD Protection for Individual-Use Devices standard
- it is required to do quarterly scanning for HSD on those devices that are not approved for the storage of HSD. These standards formerly required the use of Identity Finder (aka Spirion or IDF) for this scanning.

A new tool, ForcePoint, that was being tested, did not work well. Information Security is exploring other avenues for security of HSD.  This exception rescinds the quarterly scanning requirement for six months while we explore alternatives to DLP HSD scanning tools.

This exception only applies to new installations. Devices that already have IDF or other DLP software installed and running are required to continue to perform quarterly scans and remediate any HSD found, per the UDPS.

Compensating Controls: Approval granted with the following controls -

  1. If IDF or other non-IDF DLP software is in use by a business unit, then the business unit should continue to perform scans. This exception request should have no bearing on such activities.
  2. Information security strongly recommends whole disk encryption be deployed on all laptops within business units whose users are accessing HSD.
  3. In addition, DLP for ITS-managed Office 365 services are deployed in these specific cases: ITS O365 emails sent and received, OneDrive new file upload or file ownership transfer, and SharePoint new file upload or file ownership transfer. This means that some of the most frequently and commonly used methods of data loss are being scanned.

If these controls cannot be met please email it- [email protected] immediately. Please note that InfoSec may terminate this exception at any time.