Office of Information Security
Spirion is software licensed by Penn State to facilitate the discovery and remediation of Personably Identifiable Information (PII) across University-owned systems and networks. The software searches for Social Security, credit card, bank account, and driver’s license numbers contained within areas of a system including files, folders, and email clients. Once the scan is completed, the user is prompted to review the potential matches and remediate any PII found during the scan.
WHY IS IT IMPORTANT?
Discovering and remediating PII helps to prevent data breaches, maintain compliance with state and federal laws, and meet user responsibilities defined by University policies and guidelines. Only University systems specifically approved and authorized for the storage of PII are allowed to do so for business purposes. This process ensures that our systems do not unnecessarily contain PII related to our employees, families, vendors, students, or other affiliates of Penn State.
HOW DO I REDUCE FALSE POSITIVES OR INCREASE SCAN SPEED?
It is normal for the first Spirion scan on your system to take up to a few hours to complete. Once the initial scan is completed, Spirion will only scan new files or files modified since the previous scan. For systems containing research data that is modified on a regular basis, Spirion can be set up to exclude specific folders or data storage locations if these areas are known to not contain PII. If you experience long scan times or see large numbers of false positives, please let your IT staff know.
(Click question to expand content.)
don't modify this so accordion stays closed
What is Spirion?
Spirion is software currently licensed at Penn State to facilitate the discovery and remediation of PII across University-owned systems and networks. The software searches for Social Security, credit card, bank account, and driver’s license numbers contained within areas of the system including files, folders, and email clients. Once the scan is completed, the user is prompted to review the potential matches and to remediate any PII found during the scan.
What types of data does Spirion search for?
Spirion can search for a wide variety of identity types, but scans at Penn State are configured to search for:
- Social Security Numbers (SSNs)
- Credit Card Numbers (CCs)
- Bank Account Numbers (BAs)
- Drivers License Numbers (DLs)
Pennsylvania state law requires that individuals whose information has been compromised as a result of a data breach be notified if the above-mentioned identity types were compromised as a result of that breach. Limiting Spirion to only scan for these required identity types reduces false positives and increases the overall speed of the scans.
Where do I download Spirion?
The Office of Information Security supplies each unit with an installation file for Spirion that is unique to that area. If your computer did not come with Spirion already installed by your unit IT staff, you should contact them to get the correct installation file. Our license to the Spirion software permits installation on any system owned by Penn State. Unit IT staff can provide the necessary files for researchers to install software on systems that have been purchased by a grant or are self-managed.
What types of files and locations are searched?
Spirion is configured to search areas on the computer including the desktop, e-mail, web browsers, documents, user profiles, and other areas where data is commonly stored. Some areas of the computer are excluded from the search configuration to reduce false positives and improve scan speed. Additional exclusions can be configured for systems containing large data repositories and/or research data subject to regular modification if such storage areas/files are known to not contain any reportable PII.
How do I install Spirion?
The Office of Information Security provides installation files that are pre-configured with the most optimal scan settings for the University. These packages also contain the best settings to reduce false positives and ensure that scans are completed in a reasonable amount of time. Your unit IT staff can complete the Spirion installation for you or provide guidance on installing it yourself.
Are Penn State ID numbers considered to be PII?
Penn State ID numbers are not considered to be PII and will not be flagged by Spirion. They are, however, classified as internal/controlled information and should only be disseminated within Penn State and not to any public entity.
How often is my computer searched?
This is different for each unit as determined by their business needs. It is recommended that scans occur at least once every 30 days. Presently, most areas scan every other week. There are some areas which do not schedule automatic scans, but rather ask their users to run a manual scan on a defined basis. Your unit IT staff can tell you on what day and at what time scans are configured to run for your systems.
Who can view my results from a scan?
Once a scan completes, you are prompted to take action on any results found. Once the Spirion application is closed the results are sent to a secure console maintained by the Office of Information Security. Designated IT contacts from your area are able to see limited information about the results found. Designated personnel from OIS are also able to see certain data elements from the scan. Entire files are never sent to the console from your computer. Only limited information about the match found and action taken can be viewed. The central console is a valuable tool for University leadership to assess the progress of PII scanning and remediation.
Can I keep my own or my family’s PII on my computer?
Your University-owned system should not contain PII for any individual unless you have permission from the University to do so and have met the requirements to securely store that data. If you or your family’s personal information is lost as a result of a breach on your University computer, they will not be notified that their information may have been compromised.
Do all computers need to have Spirion installed?
The majority of systems at the University do need to have Spirion installed and configured to run regularly. There are notable exceptions to this requirement including systems which do not store data, systems that are always offline, and core network infrastructure systems and components. If you are unsure if you need to install and run Spirion, please consult with your unit IT staff, the Office of Information Security, or the Privacy Office.
How do I use Spirion to remediate PII?
Training resources including videos and documentation are available below. You may also consult with your unit IT staff for guidance in using the application. The Office of Information Security is also available to assist with questions and concerns regarding the scanning process.
I have a business need for storing SSN’s. What should I do?
Penn State utilizes a formal process to evaluate requests for local storage of SSNs that is designed to ensure that systems that need to regularly process SSNs are secure. In order to obtain an authorization, a series of steps must be completed as outlined in University policy AD19. The Privacy Office can assist with questions pertaining to an AD19 authorization and assist in the approval process.
I share a computer with other faculty/staff. How is this handled?
Typical Spirion scans will only search for data that belongs to the user who is currently logged into the computer. If you share a machine with other users, different types of scans can be used to search data across the entire computer. You should consult with your unit IT staff to ensure that the correct scan types are in place for shared systems.
How long will the scan take?
The duration of the scan time is a direct result of the amount of data stored on the system as well as the speed of the computer itself. Systems with small amounts of data will complete faster than systems that store large data sets. The first scan you perform on a system with Spirion will always be the longest. Once the first scan is completed and results are remediated, subsequent scans will only search files that are new or have been modified since the initial scan. Also, some areas of the system are specifically excluded from scans during configuration of the software to make the process more efficient. OIS regularly reviews and revises the scanning configuration to improve scan speeds. If you are seeing extremely long scan times or regularly deal with large data sets, you should contact your unit IT staff. There are measures that can be put into place to resolve these common issues.
What if my computer is turned off during the scheduled scan?
In most cases your computer will launch the missed scan when it is powered on the next time.
Will the Spirion scan cause my computer to run slower?
By default, the OIS configuration settings in Spirion are designed to optimize scan speed. In most cases you should not notice a difference on your system when Spirion is running. On older computers or computers with large data sets, the machine may not have enough available resources to allow both Spirion and your regular work to run at their normal speed. You should consult with your unit IT staff, who can work with OIS, to make the necessary changes to provide a better scanning experience.
What options do I have for dealing with PII found by Spirion?
Once PII is found by Spirion, you have a few options to remediate the data. These options will be automatically presented to you within the Spirion interface. The standard remediation options are:
- Shred – This option permanently erases the file which the PII was found.
- Scrub – This option will mask only the PII match found in the file with Xs.
- Ignore – This option tells Spirion that the result is not PII and not to display the file or match in the results again.
Can I install Spirion at home?
Spirion is only licensed for use on systems owned by the University.
Spirion found a match, but I’m unable to scrub or shred it. Why is this?
In most cases, the file is marked as “read-only” because it’s a false positive in a system or application folder. It may also be a file in a location where you do not have full access. If you are certain the match is not PII, you should use the “Ignore” option to mark the file as a false positive. This will prevent it from displaying again on future scans. If you are unsure whether the file contains PII, you should consult with your local IT staff.