Site Survey Assessment Model

This is a checklist for finding sensitive information in academic departments. The objective is to 'search and destroy' old data files that are Tier III information that do not need to be in operational use. This included a physical search for hard-copy and electronic versions of Tier III information.

What will we do when we find it? We need to sequester Tier III data and either implement Tier III controls or dispose of the Tier III information.

Disposing of Tier III hard-copy: use a cross-cut shredder or place in one of the university's IronMountain disposal boxes.

If there are electronic files on a backup CD, is there a place to shred these? At least have them manually break the CD in pieces before they throw it away. If a hard drive fails/or computer with sensitive data is replaced, is there a way to physically destroy the drive? Possibly use a drill press in the Bingham Machine lab.

Disposing of Tier III electronic files: file wiping. Note that deleting does not remove the information from a hard drive. The tool ccleaner [1] or eraser [2] integrates with the Windows Recycle Bin. MacOS has a 'secure file deletion' option.

Additional guidance is at [3]

[edit] Site Survey Audit Checklist

1. Do users know about the SSN policy?
2. Look for postings of SSNs or student information.
3. Look for spreadsheet data with SSN in recycle bins (dumpster diving).
4. Is there as shredder or IronMountain box bear the area? Where do they dispose of sensitive paper?
5. Use audit tools to search file on DA computers for SSNs (Spider works the best, see instructions below)
6. Use audit tool to search file shares for SSN.
7. Do they know how to 'wipe' files vs. deleting them?
8. Are machines protected from physical access/theft?
9. Are data backups done on a regular basis? What is done with the old backups?
10. Is there a server for the department? Where is it? Is it protected from access and theft? Who has password access to what files? What security measures are in place on the machine to prevent external hacking?

[edit] Supporting Tools

Find_SSN [4]is a python-based tool (written by Brad Tilley from Virginia Tech).

Find_CCNs [5] is a similar program for finding credit card numbers in a disk volume.

Spider from Cornell University. [6]

There are a number of commercial products that work from a personal standpoint with varying levels of speed and accuracy.

[edit] Using Spider

Here is a rough outline of procedure for using the Spider tool in a department.

1. Spider needs to be installed on each computer, there is currently not a way to do a push install or run off a U3 flash disk.
2. In the spider settings, only have it search through the Documents and Settings directory. There is no need to have it look through program and/or windows files.
3. Have spider create a log of possible bad files and make sure you know where the log file will be saved.
4. If someone in the department is handy with computers, they can probably look through the log of files names and sort out false positives (a file setting) rather than a word document/excel spreadsheet that might have Tier III information in it.
5. If no such person exists, send the log file to Tom Siu and he can have the auditor make a return visit and investigate the possible security holes.
6. If sensitive data is found, ask if it is still needed. If not, destroy. If yes, encrypt or secure in some way.