header announcements general info phase 1 phase 2 incident reporting educational offerings contact information log in pennstate home page search penn state search ipas site ipas home page

phaseii

...home

PHASE II

Scanning FAQs

Fact Sheet

Best Practices

Supporting Tools

General FAQs

PSU Policies

Links of Interest

Educational Offerings

 

home | phase ii | scanning

Scanning Tool

Proventsure's Governance and Compliance Platform scanning tool is available to all Penn State departments. This client-server application scans systems for Trojan's, rootkits, SSNs, credit cards, and bank account information. Overall, the results can be used to help identify and remove or protect such Personally Identifiable Information (PII), which could have a significant impact on areas such as eDiscovery and regulatory compliance reporting.

The scanning of University-owned computers will help mitigate the risk of personally identifiable information loss. Departmental Information Technology (IT) staff responsible for scanning for PII can obtain additional information and request PII scanning from Security Operations and Services, a unit of Information Technology Services (ITS), by filling out a Web-based form: http://sos.its.psu.edu/piiscanning.html. For those who are more technically adept and wish to conduct their own scan, a protocol for self-scanning is being developed, and is slated to be released at a future date. However, as noted, that process should be used only by those who are very technically astute in order to prevent loss of data or incomplete scans that will need to be repeated.

FAQs

  1. What is the purpose of the scan?
  2. What type of computers are required to be scanned?
  3. I can attest my computer is clean and free of sensitive information. Does my computer still need to be scanned?
  4. How does the software work?
  5. What is the scanning process from start to finish?
  6. Can we see the report from our computer?
  7. What does the scan report look like?
  8. Can the scanning tool tell the difference between student IDs and SSNs?
  9. Will this affect the performance of my computer?
  10. Will the scan expose personal information I have on my computer?
  11. What is the scanning interval?
  12. What information is sent to the ITS Server?
  13. When should we start scanning?
  14. I am not an IT person, can I still scan my system before this process is initiated in my department?
  15. Is the scanning program required?
  16. Is there a secure delete method for data removal?
  17. How does this benefit me?
  18. Do other educational institutions have a scanning program?
  19. What can I do to get started on the scanning program?

1. What is the purpose of the scan?
A. To protect you as an individual, as well as the data with which you work. Governing state and federal regulations, as well as contractual agreements exist today and have strict storage and handling requirements. Visit the links of interest page for examples of current regulations and standards. If sensitive data is not handled in a protected and secure manner, significant fines can be levied and the University’s reputation could be seriously damaged.

2. What type of computers must be scanned?
A. In the early phases of scanning University-owned computers in University facilities will need to be scanned. [back to top]

3. I can attest my computer is clean and free of sensitive information. Does my computer still need to be scanned?
A. Yes. University leadership recommends you scan all University-owned computers you possess. Prior incidents indicate “clean” machines do hold sensitive data. [back to top]

4. How does the software work?
A. The software scans the files on your computer looking for what has been defined as possible sensitive information. Unlike a virus scan, it only runs on command and searches for strings of characters such as Social Security Numbers (SSNs) and credit card numbers. (The scanning process only looks for SSNs, credit card numbers and bank account/routing numbers.) It also has the added benefit of detecting malicious code such as Trojan Horse programs and rootkits. [back to top]

5. What is the scanning process from start to finish?

  1. Proventsure's scanning client will be installed or will run from a USB jump drive.
  2. An initial scan will be performed; future periodic scans will be scheduled.
  3. Upon scan completion, the report of file locations and any offending strings (the number that the software identified as possible PII) will be sent to a central server maintained by ITS.
  4. The report will then be evaluated by you and your IT staff with consultation by IPAS & SOS staff.
  5. Following the scan, the departmental IT staff will work with the individual involved in the situation to verify the existence of sensitive information and will explain the appropriate steps necessary to remove the data. [back to top]

6. Can we see the report from our computer?
A. The report does not reside on your local computer. The report can be obtained from ITS for immediate remediation. If suspect files are detected, your IT staff can review the report with you and help you remediate. [back to top]

7. What does the scan report look like? 
View the sample scan report.

8. Can the scanning tool tell the difference between student IDs and SSNs?
A: Yes, since SSNs never start with a number 9. [back to top]

9. Will this affect the performance of my computer?
A. The scan process may cause a slight slowness during the scan, but it will still be usable. It is very similar to an anti-virus scan running in the background but does not run continuously. [back to top]

10. Will the scan expose personal information I have on my computer?
A. The scan will search for character "strings," such as the numerical pattern used in a Social Security Number or credit card, but will not expose the actual file contents. [back to top]

11. What is the scanning interval?
A. The frequency of scanning can be set at the discretion of the department. [back to top]

12. What information is sent to the IPAS Server?
A. The Proventsure software creates a report of the file location and the detected string. This information is sent to a server maintained by Information Technology Services (ITS). The software does NOT automatically delete files (like anti-virus software) nor does it send the entire file contents in the report. [back to top]

13. When should we start scanning?
A. Your department may start scanning as soon as they like. The purpose of scanning University-owned computers is to determine whether any sensitive information resides locally. Sensitive data residing locally has many associated risks; therefore, the files detected from a scan must be removed immediately. It is important to implement a plan for remediation prior to getting started. To comply with such statutes, departments must ensure sensitive information is being properly secured. [back to top]

14. I am not an IT person, can I still scan my system before this process is initiated in my department?
A: Yes, Proventsure has a self-scanning tool that can be used by faculty and staff who chose to self-scan. However, it is highly recommended that you work with your IT staff unless you have a high degree of technical skill. As noted previously, a self-scanning protocol is currently under development for release at a future date. At this time, faculty and staff are encouraged to work with IT staff to perform a scan prior to a departmental-wide scan. [back to top]

15. Is the scanning program an IPAS requirement?
A: File scanning is a University-wide program that was developed to ensure the privacy and security of critical information. The IPAS team is responsible for raising awareness and consulting with departments on best practices. It will be necessary for PII data to be located and remediated either via the central process or via an approved self-scanning protocol. That protocol is currently under development, as noted previously. [back to top]

16. Is there a secure delete method for data removal?
A: Yes, there are several applications available to securely delete the data. Contact your local IT support for additional information. [back to top]

17. How does this benefit me?
A. By ensuring that computers you use do not contain sensitive data you are less likely to be involved in a data breach remediation and/or University sanctions. As the theft of laptops and network based intrusions continue to rise, there is a real need to protect sensitive information by improving your personal security environment. "Think globally, act locally." [back to top]

18. Do other educational institutions have a scanning program?
A: Yes, just to name a few...

  • University of Pittsburgh (Pitt)
  • James Madison University (JMU)
  • Rochester Institute Technology (RIT)
  • Louisiana State University (LSU)
  • University of Maryland Baltimore County (UMBC)
  • George Washington University (GW)
  • University of California - Berkeley
  • American University (AU) [back to top]

19. What can I do to get started on the scanning program?
Complete a PII scanning service request form located on the Security Operations and Services Web site.

 

 

 

Privacy and Legal Statements | Copyright 2007 The Pennsylvania State University | Contact Us