All universities, as well as other public and private entities, must make all reasonable efforts to ensure the security of the data they maintain. Certain data, known collectively as Personally Identifiable Information (PII), require more stringent safeguards than other types of data.
The MTSU Information Security Policy I:03:06 dated July 1, 2009, covers the protection of University information in all its forms. It discusses what PII is, how it may be handled and stored, along with measures taken to safeguard that data.
Section V.J. of the Information Security Policy specifically addresses storage of PII, stating that, where possible, all records containing PII shall be stored on secure network drives with access limited to those individuals or entities that require access to perform a legitimate University function. Individual workstations, laptops, mobile storage devices and other personal computers (e.g., PDAs and home computers, etc.) shall not be used to store records containing PII except where permitted by policy.
To help the University meet the requirements of that policy, the Information Technology Division (ITD) is installing Identity Finder, an auditing software package, on all PCs and Mac computers across the campus. Identity Finder replaces Spider, an open source utility last updated in 2008, used to find SSN, credit card numbers, and other PII in a variety of file types on MTSU computers. Identity Finder also replaces an existing manual process with an automatic process to ensure employee computers comply with section V.J. of the University’s Information Security Policy.
The primary differences between Spider and Identity Finder are:
1. More sophisticated search engine
2. The ability to run after hours for less disruption of the user’s productivity
3. The ability to search servers remotely
4. The ability to search websites, email servers and database servers
5. Centralized notification and remediation assistance
6. Works on Windows and Mac OSX
Identity Finder behaves very similarly to our anti-virus solution. The software scans the local desktop, and if it detects a possible issue, an alert will be generated to the management console. ITD Security will contact the user to work together to ensure the alert is valid, and if so, to secure the information.
The purpose of Identity Finder is to identify PII only. It does not perform an inventory
of software or software licenses, or evaluate data in any way. Any data outside the
scope of PII is ignored. Data that is within the scope of Identity Finder includes:
a. Social Security Numbers
b. Credit Card and PCI Data
c. Bank Account Numbers
The data that generates an issue is NOT sent back to the central management console. Only the computer name, data type (SSN, credit card number, etc.), and data location are maintained by the central management console.
Identity Finder will be automatically installed on all Windows computers connected to the FSA domain by April 1, 2013. Non-FSA domain computers, along with all Mac computers, will be installed manually until an automatic process can be developed.
Once installed, the software is configured to scan the computer on the first Thursday of each month at 2:00 a.m. Please ensure you leave your computer powered on overnight, with your account logged out.
You may read the Information Security Policy in full by clicking here.