Re: Identity Finder

[Gary Dobbins <dobbins () ND EDU>]

Ideally, if the department has previously defined those places and ways
where highly sensitive data are *supposed* to be handled, then a
decision by a lay person should be easy.  "If it's not in one of those
defined places, it should not exist."

Realizing that the above sounds a bit "let them eat cake"-like, it's the
core idea that I hope is helpful:  First start by narrowing the field
for them, with the intent of making it easier to figure out what to do
with each discovery.


> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of David
> Escalante
> Sent: Friday, December 18, 2009 10:16 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Identity Finder
>
> Flynn, Gerald wrote:
> > > Read the Identity Finder manual and understand how individual
> settings
> > > impact what is found in a scan.  Understanding how to govern
> false
> > > positives is important for the remediation of the report.
> >
> > Can a lay person sort the grain from the chaff?
> This is a great question.  In terms of knowing whether something is
> a
> false positive or not, our experience is "yes, a lay person can
> figure
> it out."  The bigger problem we've run into is the person knowing
> how to
> navigate the file system or IMAP/Outlook local folders/files to
> properly
> get rid of the data, NOT the person figuring out if the scan
> results are
> legit.
> > How time consuming is it?
> The trite but true answer is, "It depends on how many results there
> are
> in the scan, and how you approach remediation."  I could give
> detailed
> examples, but I don't wish to on a public listserv.  So instead let
> me
> cite an example from Randy's earlier message -- if you have some
> mechanism for throwing all the positives into an encrypted area and
> dealing with them later, then it might not take much time at all.
> If
> you have 1,000+ results (yes, this does happen) that you wish to go
> through individually, then obviously it can be a huge time sink.
> The
> remediation part needs management to be successful -- running the
> scans
> is just a technical task.  Figuring out what to DO with the data
> that's
> flagged is a management problem.
> > The time to do data analysis and false positive elimination
> > prevents us from rolling out our current product to a wider
> > audience. We're doing all the analysis ourselves at this
> > point rather than the end user or department and it's a
> > significant labor expenditure.
> The approach we're taking is to point Identity Finder (Windows) at
> a
> central configuration file on a server.  When a user reports a
> false
> positive, we investigate, and if it seems like a legit false
> positive
> that will affect multiple users, we adjust the configuration (and
> our
> custom reporting tool, sometimes) as needed to ensure that other
> users
> won't see, and complain about, that same false positive.  This is
> more
> of a collaborative approach to the issue, sort of "You help us by
> reporting problems, we'll help you by propagating fixes."  Spreads
> the
> labor around.
> --
> David Escalante
> Boston College

Attachment: smime.p7s
Description: