Table of Contents
1. Purpose and Background
a) Installing and Using the Identity Finder on an Unmanaged Individual Client
b) Using the Identity Finder on a Managed Individual Client (Preferred)
c) Using the Identity Finder Management Console
4. Related Links
5. Further Guidance
Revision History: November 23, 2020
1. Purpose and Background
The University of Virginia is strongly committed to maintaining the privacy and security of confidential personal information and other highly sensitive data it collects. It expects all those who store such information to treat these data with the utmost care. There are various University policies, federal and state laws and regulations, and contractual obligations that govern how such data must be protected. The risk of unauthorized disclosure of HSD is very high when such data are stored on individual-use electronic devices and media, since these items are easily stolen. The University provides software to help prevent identity theft by locating personally identifiable information, in the form of Social Security Numbers (SSNs), credit card numbers, and other sensitive information, that is stored on electronic devices or media. Such data are defined as highly sensitive data by the Data Protection of University Information (IRM-003) policy.
These procedures apply to all non-student users and departments of the University, including the Academic Division, Medical Center, College at Wise, and University-related Foundations.
Currently, the software provided for scanning for PII is Identity Finder. Individuals and departments at UVA must use Identity Finder to help them find and, where possible, remove such PII, if appropriate approvals have not been granted for the storage of these data. Identity Finder software also enables departments to keep an accurate inventory of all SSN data stored on laptops, desktop computers, servers, and other media (CDs, DVDs, tape backups, USB thumb drives, etc.), that has been approved as required by the Data Protection of University Information (IRM-003) policy, and the Highly Sensitive Data Protection Standard and Highly Sensitive Data Protection Procedures.
All non-student users must perform scans at least quarterly on any electronic device or media that may store University data, whether owned by an individual or the University. If users are approved to store highly sensitive data on individual use devices or media, Identity Finder (or equivalent) must be run on all storage areas at least quarterly, and any HSD found on unapproved storage areas must be remediated immediately, as stipulated in the Highly Sensitive Data Protection Standard. Departments may set more specific guidelines for faculty and staff.
[Until May 13, 2021 - See Exception 200 for change to the quarterly scanning requirement.]
It is recommended that users, especially who job duties include handling HSD, acquire the managed client version of the Identity Finder software to automate scanning and remediation tasks as well as provide a log of these activities.
2. Procedures for Locating Highly Sensitive Data
Installing and Using the Identity Finder on an Unmanaged Individual Client
Download the Identity Finder installer software: Non-student users running Identity Finder on an unmanaged client (computer that does not have Identity Finder installed and managed by the Identity Finder Management console) must download and install the software by first logging in with NetBadge, selecting the correct version of Identity Finder for your computer (Windows or Macintosh), and following the prompts. Identity Finder software is no longer available. [Please see Exception 200 for change to the quarterly scanning requirement.]
In order to respond to audit requests and/or forensic investigations involving HSD, departments must demonstrate compliance with scan and remediation requirements referenced above. Therefore non-student users must be able to provide the following documentation for every scan completed: 1) the date of the scan, 2) the user performing the scan, and 3) the actions taken to remediate any identified highly sensitive data (HSD) that was not in an approved storage location.
Department management must review the documentation to ensure scans are properly completed on the required schedule. These requirements are mostly easily met by using the Management Console (managed client) version of Identity Finder. Departments are strongly encouraged to make use of the Identity Finder Management Console.
When users run their periodic scans, they must print or save their initial scan results (making sure not to display the full details of any highly sensitive data). If remediation is required, they can re-run the scan following remediation and print or save the “clean” scan results. Any printouts or saved reports should be signed and dated and kept for future audit or security reviews. These reports can be kept in either electronic or printed form, in a secure area as they are classified as Sensitive Data. These reports MUST NOT contain the details (e.g., the SSN) of any HSD found in the scan. Department management must periodically review these documents to confirm that both scanning and remediation have been completed.
Using the Identity Finder on a Managed Individual Client (Preferred)
Non-student users running Identity Finder on a managed client (computer that has Identity Finder installed and managed by the Identity Finder Management console) do not need to download the software or document the date of scan, the user performing the scan, or any actions taken to remediate identified HSD that was not in an approved storage location. Nor is there a need for department management to review the documentation to ensure that scans are completed on the required schedule. These processes are done automatically by the central management console, thereby fulfilling the requirement for documentation of quarterly scans and any necessary remediation.
Using the Identity Finder Management Console
The Identity Finder Management Console enables departments to keep an accurate inventory of all HSD data stored on electronic devices and media, including laptops, desktop computers, servers, and CDs, DVDs, tape backups, USB thumb drives, etc. as required by the Data Protection of University Information (IRM-003) policy, and the Highly Sensitive Data Protection Standard and Highly Sensitive Data Protection Procedures.
The Identity Finder Management Console has two parts: client software installed on the UVA computer and a server that collects the completed reports. In order to use the Identity Finder Managed Individual Client and Management Console, the department must designate an LSP or person with like responsibilities to manage the installation and operation of the Identity Finder Client software and Management Console and approve this person's access to the JointVPN. Typically the department head/chair or designee provides these approvals. Email [email protected] to request access. Identity Finder software is no longer available. [Please see Exception 200 for change to the quarterly scanning requirement.]
Once approved, the LSP designee must obtain a UVA Identity Token and access to the JointVPN and complete introductory console training provided by the Information Security office.
The Identity Finder Management Console offers several benefits to UVA departments:
- Evidence that scans have been completed
- Management awareness of highly sensitive data
- Easier remediation
- Automated scanning and remediation reports
- Centralized departmental management of scans
- Reduced false positives
See the list of definitions for the Acceptable Use, Data Protection, Information Security, and Privacy & Confidentiality policies.
4. Related Links
- Data Protection of University Information (IRM-003)
- Highly Sensitive Data Protection Standard
- Highly Sensitive Data Protection Procedures
- University Data Protection Standards
5. Further Guidance
If you think you need to request an exception to these requirements, please refer to the Exceptions Process.