Restricted Data Discovery Project

Compliance requirements, particularly the requirement to notify users/the public when data breaches occur, have increased the consequences of inappropriately disclosing restricted information.

Historically, UW has propagated data throughout our systems in order to complete its business:  on end user computers, on servers and in databases.  This data sometimes contains restricted information such as social security numbers and bank account numbers. Often users and administrators do not know (or have forgotten) that restricted or sensitive information is on their machines.

Given the current threat environment and data breach disclosure law, finding and quantifying where restricted data is stored so that it can be adequately protected or removed is essential to risk reduction.

Automated tools are needed to assist in identifying, counting and reporting this data, given the vast and diverse data repositories in use today.

The purpose of this project is to acquire software which automates the discovery of restricted or sensitive data, allowing users and IT administrators to take appropriate remediation actions.

Project deliverables are to:

  • Identify requirements for a tool to find restricted and other sensitive data on desktops, servers, email and databases. 
  • Based on these requirements, create and distribute a Request for Proposal (RFP) for a search tool that locates and reports restricted data.
  • Evaluate, select and license a product.

Shortly after a product is selected, the team expects a roll out a project that encompasses a support infrastructure, best practices and end user education.

An RFP was distributed in February 2009.  Evaluation and selection of a product was completed in May 2009. Licensing negotiation with the selected vendor is underway and general availability of the product is expected Summer 2009. Contact IT Security for more information.