Electronic Resticted Information
How to find YOUR DEPARTMENT'S electronic RESTRICTED INFORMATION
- Learn how to download and use the SENF "sensitive number finder" to look for social security and credit card numbers in your electronic files.
- Schedule a discovery appointment for your department - colleagues from IT will be available to help you think through where RESTRICTED information may be found and how to deal with it.
HOW TO INVENTORY YOUR DEPARTMENT'S electronic RESTRICTED INFORMATION
In order to create your inventory, your department will need to find its electronic restricted information. For small departments, this task can be assigned to one person; but for larger departments, it may be better to get together and strategize an efficient approach.
In general, departments should follow this outline when looking for RESTRICTED information:
- Each computer and network share should be scanned for sensitive numbers. Make note of where any restricted information was found.
- Review business processes to determine the flow of restricted information through the department; trace that flow and make note of the electronic objects where that restricted information is found.
- Determine if you will delete any old caches of restricted information before filling out the inventory. Remember to check with the department supervisor and the records retention schedule before deleting information.
Please refer to the Quick Reference Guide as you work on your inventory for basic concepts and procedures.
Departments may schedule a discovery meeting, as above. In these meetings an IT facilitator will lead the department in a business process review, assist with getting the RESTRICTED information objects noted and conduct brainstorming on possible solutions to RESTRICTED information problems. Please see the link above for more information.
Additionally, please e-mail questions about the inventory to firstname.lastname@example.org or contact Kim Cary, x6655.
Completing the Inventory
Fill in the inventory form using Microsoft Word. For each object or group of objects containing RESTRICTED data, enter a description, location, process, and disposition (i.e., whether you will delete, control, or re-engineer this data). When your inventory is complete, print it out for the departmental supervisor to sign; and mail it to the address on the form, before Monday, March 16, 2009.
To begin your Inventory report, download the General Electronic RESTRICTED Information Inventory form.
If your department has no RESTRICTED information or has removed all RESTRICTED information from its computers, drives and systems, please download the No Electronic RESTRICTED Information Attestation form. Turn this in by Monday, March 16, 2009 instead of the Inventory listed above.
What comes After the inventory?
After your inventory has been received, Information Security will analyze your situation and consider specific recommendations. Department supervisors that have completed an inventory will receive these recommendations by April 3, 2009. The recommendations will address each type of object or system listed on the department's inventory. The recommendations will address how to apply a certain encryption control; how to change the business process; or how to remove the restricted information. It is expected that following the recommendations, there will be an opportunity for consultation as well as implementation assistance.
IT will be available to install, train, or consult with you on the implementation of encryption controls or other technical solutions related to re-engineering business process to remove RESTRICTED information. Please contact the Information Security office for assistance once you have received your recommendations.
TIMELINE FOR THIS CLEANUPIn order to make it possible for everyone to do the cleanup well and with as little stress as possible, we will be following this timeline:
Inventory - February 16 - March 16, 2009
Departments will find and inventory their RESTRICTED info.
Recommendations - March 16 - April 3, 2009
Information Security will write control and cleanup recommendations for each department that has submitted an inventory.
Implementation - April and May 2009
Each department will remove or apply controls to RESTRICTED information, with assistance from Information Technology as requested.
Audit - June 2009
Internal Audit will conduct a professional review of departmental compliance with the ICPP (policy) as respects RESTRICTED information.
Return to the RESTRICTED Information Cleanup website