Electronic Resticted Information
How to find your department's electronic Restricted Information
- Learn how to download and use the SENF "sensitive number finder" to look for social security and credit card numbers in your electronic files.
- Schedule a discovery appointment for your department - colleagues from IT will be available to help you think through where RESTRICTED information may be found and how to deal with it.
How to inventory your department's electronic Restricted Information
In order to create your inventory, your department will need to find its electronic restricted information. For small departments, this task can be assigned to one person; but for larger departments, it may be better to get together and strategize an efficient approach.
In general, departments should follow this outline when looking for RESTRICTED information:
- Each computer and network share should be scanned for sensitive numbers. Make note of where any restricted information was found.
- Review business processes to determine the flow of restricted information through the department; trace that flow and make note of the electronic objects where that restricted information is found.
- Determine if you will delete any old caches of restricted information before filling out the inventory. Remember to check with the department supervisor and the records retention schedule before deleting information.
Please refer to the Quick Reference Guide as you work on your inventory for basic concepts and procedures.
Departments may schedule a discovery meeting, as above. In these meetings an IT facilitator will lead the department in a business process review, assist with getting the RESTRICTED information objects noted and conduct brainstorming on possible solutions to RESTRICTED information problems. Please see the link above for more information.
Additionally, please e-mail questions about the inventory to firstname.lastname@example.org or contact Kim Cary, x6655.
IT will be available to install, train, or consult with you on the implementation of encryption controls or other technical solutions related to re-engineering business process to remove RESTRICTED information. Please contact the Information Security office for assistance once you have received your recommendations.
Timeline for the clean-upIn order to make it possible for everyone to do the cleanup well and with as little stress as possible, we will be following this timeline:
- Inventory - February 16 - March 16, 2009
Departments will find and inventory their RESTRICTED info.
- Recommendations - March 16 - April 3, 2009
Information Security will write control and cleanup recommendations for each department that has submitted an inventory.
- Implementation - April and May 2009
Each department will remove or apply controls to RESTRICTED information, with assistance from Information Technology as requested.
- Audit - June 2009
Internal Audit will conduct a professional review of departmental compliance with the ICPP (policy) as respects RESTRICTED information.
Return to the RESTRICTED Information Cleanup website