IT To Scan All Computers For Sensitive Data

Dear Colleagues,

As you are aware, a laptop was stolen from a faculty member's office on February 27, 2007. This laptop contained 988 student Social Security numbers, although we have received no reports of identity theft related to the incident.

While Information Technology (IT) is implementing security improvements to prevent such problems, I believe that it is imperative that all College employees review their computers for personally identifiable information, such as Social Security numbers. Everyone should pay close attention to class rosters created before the Spring 2003 semester, and any other lists of student or employee information created before October 2002. If you find lists or information containing Social Security or credit card numbers, you should delete that file immediately. If you have a business need for that information, you will need to request authorization from your area vice president to store the data on a secure network drive. The College passed a policy on February 19, 2007 that forbids the storing of Social Security or credit card numbers on mobile computing devices, such as laptops, thumb drives, PDAs, etc. Please refer to the following link if you have any questions about the college policies regarding the saving of personal information: http://www.mscd.edu/~infotech/policies.

In addition to this measure, which we should all begin immediately, IT has begun implementing the following measures to help ensure that a similar incident does not occur again:

• Scanning of all college-owned desktop computers. IT is completing a process to scan all computers that are connected to the college's network. Beginning on April 4, 2007, we will be scanning all college-owned desktop computers for number sequences that appear to be Social Security or credit card numbers. We will not be scanning for any other information. If we identify any potential confidential information on the computer, we will contact the employee via e-mail to request that all confidential information be removed. No data will be removed remotely by IT. We will also contact employees if no confidential data is found to inform them that the scanning has been completed. All employees will be expected to remove this information within two weeks. After that time, IT will rescan the computers to ensure that the data has been removed.
  
  
• Escalating the process to encrypt college-owned laptops. IT will be escalating the importance of scanning and encrypting all college-owned laptops. We have targeted completing this project by the end of the Spring semester. We will be using an outside consulting group to complete the project as quickly as possible. In addition to the security project, we will be using them to improve the laptop image and add more features for users.

IT will continue to work diligently to protect all campus information. I want to thank everyone for their continued support and patience with this process as we make these important improvements to the College's computing infrastructure.

One valuable suggestion I have heard from the campus is for IT to provide a tool allowing all computer users to scan their own computers, college or personal, for confidential data. I have included a link to free software that will allow anyone to scan their computer for this type of data. I have also included a link for free software that will securely delete files from your computer. With your help, we will be able to achieve positive outcomes for everyone using the College's resources. As always, I welcome your feedback on this or any other IT project, so we can continue to improve the process.

Sincerely,

George Middlemist, Interim Vice President Information Technology

Eraser 5.82 secure data removal tool for Windows
http://sourceforge.net/project/showfiles.php?group_id=37015

Cornell spider to identify files that may contain confidential data
http://www.cit.cornell.edu/computer/security/tools/