To find and secure personal information on your computer, the Information Security Group recommends that you install and periodically run Identity Finder, which lets you hunt down personally identifiable information such as passwords, social security and credit card number, and then to secure it.
The full enterprise version is available to all active faculty and staff. Anyone (students and home users) can install a free version available from the Identity Finder website on their personal computers to perform basic search and remediation.
Here are the basic steps to using Identity Finder, followed by an FAQ.
- Install Identity Finder. Faculty/staff can find it on Software Catalog (brown.edu/go/software). For students and home users, software is available from the Identity Finder website which includes the free application, Password Sweeper.
- Activate the software. Create a password to secure your reports.
- Define your search: what drive(s), types of files, kinds of PII. ISG recommends configuring your search for your own hard drive and to detect credit card and social security numbers (highest risk and fewest false positives).
- Protect any PII found by destroying or securing it (options include Shred, Scrub, Secure and Quarantine).
- Schedule regular runs. How often depends on what kinds of PII you routinely deal with (once a week if so, quarterly at a minimum.
- Questions about using the software? Check out the Windows and Macs online manuals.
- What is Identity Finder?
- What is the objective of making Identity Finder available here at Brown?
- Who can use it?
- What operating systems does Identity Finder run on?
- Where can I find it and how do I install it?
- Do I need to have an IDF password (requested upon install)?
- What type of files does IDF search and where?
- What should I be searching for?"
- How do I use IDF to search for sensitive data?
- Once sensitive information is discovered, what actions can be taken?
- Is my personal information being collected somewhere?
- Is it possible for anyone to see details of my PII?
- Can anyone suffer negative consequences as a result of running IDF?
- How often should I run IDF?
- What if IDF identifies something as a Social Security or credit card number, but it's not and I want to keep the info as it is. Will this come up every time I do a scan?
- What if I need help with IDF?
Q. What is Identity Finder?
A. Identity Finder (IDF) is software that helps prevent identity theft and aids in keeping Brown compliant with federal and state laws by detecting and securing sensitive data on your computer. IDF is able to detect patterns -- such as those for Social Security, credit card and bank account numbers, references to passwords and other customizable data that you would specify.
Q. What is the objective of making Identity Finder available here at Brown?
A. Adding regular scans with Identity Finder to other information security measures already in place helps Brown to not only remain in compliance with regulatory and legal obligations, but also to lower its (and the individual user's) level of risk.
Q. Who can use it?
A. All active employees -- faculty and staff -- can download and install the full enterprise version of IDF from the Software download pages (see links below) onto their Brown computers. Anyone (students and home users) can install a free version available on the Identity Finder website on their personal computers to perform basic search and remediation. More robust personal versions are also available from IDF's site.
- Supported Windows versions: Windows 7, 8.1
- Supported Mac versions: OS X 10.6 - 10.8 (IDF is currently not compatible with v. 10.9 and 10.10)
Q. Where can I find it and how do I install it?
A. You can download both Windows and Mac versions from the Software Catalog. Installation instructions are provided on that page.
Q. Do I need to have an IDF password (requested upon install)?
A. You do not need to use a password, signing on as a guest instead. However, a password is necessary to protect any search you wish to save and the sensitive information contained within that file. For this reason, it is recommended that you do use a password, but with care, since if you forget your password, you will be unable to load your saved results nor login to the application.
Q. What type of files does IDF search and where?
A. IDF searches can be configured to search your entire hard drive (whether on a laptop or desktop), as well as external drives for many file types including:
- Microsoft Office files
- PDF files
- Compressed files
- Cached websites and cookies
- Registry keys
Q. What should I be searching for?
A. To meet regulatory compliance, ISG recommends searches that target social security and credit card numbers. This data is at highest risk and searches for it produce the fewest false positives. After an initial search and you secure any data found, you can broaden your search to other sensitive information (i.e., anything that if lost could present a risk to Brown, you, or someone else). See the document on Brown Restricted Information for a list and more details.
Q. How do I use IDF to search for sensitive data?
A. The user guides (Windows |Mac) provide a good overview as well as step-by-step instructions for using IDF. Note that upon install, the final screen asks if you want to run a scan. You can do so then or wait until a later time.
Q. Once sensitive information is discovered, what actions can be taken?
A. You should take appropriate action and then rerun IDF to ensure all sensitive information is either removed or protected. After a scan, you will be presented with a report of its findings, which will list any sensitive information found that matches your search criteria and its location. You can save the file for later action on it (requires a password) or take immediate action. Your choices include:
- Shred: Use this option if you wish to permanently remove any files that contain sensitive information. Use Shred ONLY when you no longer need that information as shredding is not reversible, and once removed, it cannot be retrieved.
Example: An old Excel spreadsheet listing student workers and their social security numbers.
- Scrub: Use this option when you locate a match on sensitive data and wish to remove just that data but leave the rest of the file intact. Note that scrubbing (also referred to as redacting) is limited to certain file types.
Example: An Excel spreadsheet listing current workers, their emergency contact information, birth dates and social security numbers. Since the information is still relevant, remove the social security numbers, and if you don't need them, the birth dates as well.
- Secure: Use this option when sensitive information is identified but you wish to keep it and the context in which it is located. The Secure option lets you encrypt and password-protect the file to prevent unauthorized individuals from accessing it. Note that this option is handy when you discover sensitive data files but don't have the time to immediately remove them.
Example: As in the above example for Scrub, but as the department financial manager you need the employees' social security numbers at this time.
- Quarantine: Use this option when a file has sensitive identity match information in it and you wish to securely move the file to another location. Quarantine will move your file and then shred the original so that it cannot be recovered by anyone who gains access to your computer. It is important that you quarantine files to a location that is highly secure, such as an encrypted drive or a storage device to which unauthorized individuals do not have access.
Example: An Excel spreadsheet with sensitive information of former employees. There is no current need for it but for legal and historical reasons you wish to preserve the file.
Q. Is my personal information being collected somewhere?
A. The Information Security Group (ISG) is collecting summary data such as the number of passwords, mother's maiden name, social security numbers, credit card and bank account numbers found during an Identity Finder scan. This data is analyzed to track what is being found and if the risk is then being addressed, which keeps Brown in compliance with identity theft legislation.
Q. Is it possible for anyone to see details of my PII?
A. While this level of granularity is available, the ability to view this detailed PII is limited to two high level information security staff, who do not view this information as there is no need. As with other personnel at Brown who have access to student, HR and financial information, ISG staff are bound by a confidentiality agreement to respect the privacy of others.
Q. Can anyone suffer negative consequences as a result of running IDF?
A. No, there are only benefits to doing so. It will let you know whether or not you have PII that needs to be protected and gives you the means to remove or protect it. It will also raise your awareness about introducing any new PII onto your computer so that you can take appropriate action at the time. Regular scans will reduce your individual risk as well as Brown's institutional risk. Should PII be detected, no data will be deleted by the IDF administrators, nor will individual data be accessed without business need (following the Emergency Access Policy), or equipment removed because of the data that is found.
Q. How often should I run IDF?
A. It depends on the level of possible risk. If you're dealing with sensitive data on a regular basis, it is recommended that you run IDF weekly, which can be configured to run automatically. Because it runs so quickly and in the background, we recommend that you run IDF at least quarterly to ensure that your machine is free of restricted data. And in the event your computer is lost or stolen, this will not only provide peace of mind that you have not put any restricted information at risk but can report this to ISG.
Q. What if IDF identifies something as a Social Security or credit card number, but it's not and I want to keep the info as it is. Will this come up every time I do a scan?
A. This is an example of a false positive, which does occur occasionally. You can configure IDF to ignore it on successive scans.
Q. What if I need help with IDF?
A. For assistance with using IDF, its Online Help is quite comprehensive and a good place to start. You may also want to consult their user guides: Windows |Mac. For questions about policy and/or procedures, contact ISG@brown.edu.