Educause Security Discussion mailing list archives
Re: Identity Finder
From: Gary Dobbins <dobbins () ND EDU>
Date: Fri, 18 Dec 2009 10:20:35 -0500
Ideally, if the department has previously defined those places and ways where highly sensitive data are *supposed* to be handled, then a decision by a lay person should be easy. "If it's not in one of those defined places, it should not exist." Realizing that the above sounds a bit "let them eat cake"-like, it's the core idea that I hope is helpful: First start by narrowing the field for them, with the intent of making it easier to figure out what to do with each discovery.
-----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of David Escalante Sent: Friday, December 18, 2009 10:16 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Identity Finder Flynn, Gerald wrote:Read the Identity Finder manual and understand how individualsettingsimpact what is found in a scan. Understanding how to governfalsepositives is important for the remediation of the report.Can a lay person sort the grain from the chaff?This is a great question. In terms of knowing whether something is a false positive or not, our experience is "yes, a lay person can figure it out." The bigger problem we've run into is the person knowing how to navigate the file system or IMAP/Outlook local folders/files to properly get rid of the data, NOT the person figuring out if the scan results are legit.How time consuming is it?The trite but true answer is, "It depends on how many results there are in the scan, and how you approach remediation." I could give detailed examples, but I don't wish to on a public listserv. So instead let me cite an example from Randy's earlier message -- if you have some mechanism for throwing all the positives into an encrypted area and dealing with them later, then it might not take much time at all. If you have 1,000+ results (yes, this does happen) that you wish to go through individually, then obviously it can be a huge time sink. The remediation part needs management to be successful -- running the scans is just a technical task. Figuring out what to DO with the data that's flagged is a management problem.The time to do data analysis and false positive elimination prevents us from rolling out our current product to a wider audience. We're doing all the analysis ourselves at this point rather than the end user or department and it's a significant labor expenditure.The approach we're taking is to point Identity Finder (Windows) at a central configuration file on a server. When a user reports a false positive, we investigate, and if it seems like a legit false positive that will affect multiple users, we adjust the configuration (and our custom reporting tool, sometimes) as needed to ensure that other users won't see, and complain about, that same false positive. This is more of a collaborative approach to the issue, sort of "You help us by reporting problems, we'll help you by propagating fixes." Spreads the labor around. -- David Escalante Boston College
Attachment:
smime.p7s
Description:
Current thread:
- Re: Identity Finder, (continued)
- Re: Identity Finder Willis Marti (Dec 17)
- Re: Identity Finder Peterman, Martin (mdp4s) (Dec 18)
- Re: Identity Finder Allison Dolan (Dec 18)
- Re: Identity Finder Richard Miller (Dec 18)
- Re: Identity Finder Flynn, Gerald (Dec 18)
- Re: Identity Finder Flynn, Gerald (Dec 18)
- Re: Identity Finder randy marchany (Dec 18)
- Re: Identity Finder Chris Vakhordjian (Dec 18)
- Re: Identity Finder David Escalante (Dec 18)
- Re: Identity Finder Peterman, Martin (mdp4s) (Dec 18)
- Re: Identity Finder Gary Dobbins (Dec 18)
- Re: Identity Finder Brad Judy (Dec 18)
- Re: Identity Finder Peterman, Martin (mdp4s) (Dec 18)
- Re: Identity Finder Harold Winshel (Dec 18)
- Re: Identity Finder Paul Lepkowski (Dec 18)
- Re: Identity Finder Ben Woelk (Dec 18)
- Re: Identity Finder Felecia Vlahos (Dec 19)