Visit the main Spirion resource page
This page is referenced from policy ADG08 and further defines specific cases or circumstances when it is acceptable to exclude a system or storage device from PII scans with a Data Loss Prevention (DLP) client. Questions regarding any specific cases given or a question about any case or circumstance not listed should be directed to OIS by using the general question form located at OIS’s Service Now Forms for DLP requests.
This document references the terms “PII scanning” and “DLP client/tool”. The current University implemented DLP tool for PII scanning is Spirion. Data from any other scanning tool used in routine or compromised computer scanning will not be accepted.
To determine if a system needs to have a DLP client installed you first need to have a solid understanding of both the type of data the system stores locally and the intended institutional use of the system. The combination of these two pieces of knowledge will help you to determine whether the machine needs a DLP client or if it has been deemed safe and acceptable to exclude from scanning. Just because a system will be connected to a network does not necessarily mean that the system needs to be scanned for PII. If you see an example below that is excluded from DLP client installation but you know that the system as installed and utilized in your particular environment is used for the storage of PII data, you must scan your or the departments system as normal to conform with the policy requirements.
Server Operating Systems
- Not all servers need to be scanned and the decision to exclude from scanning should be based on the intended usage of the server. Because they would not typically be used to store PII data, the following server types may not require regular scanning.
- DHCP Servers
- Domain Controllers
- Embedded OS servers used for special vendor specific applications that do not store any type of user data.
There are cases where the line is not clear such as:
- Email Servers – Email must be scanned from a data perspective. You may choose not to install the client directly on the email server, but rather scan it from the client side machines that are connecting to the email store.
- Utility servers – May run specialized applications which cannot accept or are not likely to store PII data. These systems do not need to be scanned.
Undoubtedly you will have servers in your environment that are always subject to PII scanning with a DLP client, such as, file and web servers. Also included would be servers used to receive and store scanned documents which could contain PII. Scanned files would be subject to an OCR (optical character recognition) search to facilitate discovery of PII in image file types typically created in the optical scanning process.These types of systems must have a DLP client installed and must be included in your normal scanning schedule. Since these types of systems do not normally have users logged in, you will likely be scanning them with a “SYSTEM” scan scheduled from the console. It is important that you log into the DLP console and review results from the system scan on a regular basis to review the results and determine what data needs to be remediated.
End User Systems
Like servers, there are certain scenarios where a user’s desktop may not need to be scanned for PII. Such devices include the list below because of their use case scenarios.
- In the case of thin or zero clients, saving data locally is usually restricted in favor of storing data on the central file server so there is no need to scan. If you are using a thin or zero client environment and have configured them to store data or files locally, they must be scanned as normal. Even with thin or zero clients, the central fileserver should be scanned on a regular basis for PII and the results reviewed and remediated (as addressed in the “Server Operating Systems” section of this page).
- Machines connected to specialized lab equipment that are never connected to a public network
- Machines that are managed by CLM and are configured to not store data locally or to erase profiles once logged off.
For laptops and tablet devices it is reasonable to assume that data will be stored locally and must be scanned for PII on a scheduled basis in cases where the operating system is supported by the DLP client.
Encrypted Systems and Data
The usage of any encryption technology is not an exemption to PII scanning. This includes full disk, file and folder, container, and hardware based encryption. If a system utilizes an encryption technology and does not fall into one of the categories listed on this page it still must be scanned as part of your regular PII scanning process.
Systems which have a current SSN authorization must still be scanned in order to identify and quantify the type of PII contained on the system and to determine where it is being stored. SSN authorizations often are specific as to where and what types of data you are authorized to store. Any PII data residing on the system that does not meet the criteria defined by your SSN authorization needs to be found and properly dealt with according to University policies and procedures.
If you have any questions on whether a particular device or dataset needs to be part of regular PII scanning, you should contact the Office of Information Security (OIS). OIS can provide guidance to help you determine the proper course of action.