Handling Personally Identifying Information

Personally Identifiable Information (or PII) is information, such as Social Security Numbers (SSNs), that can be used to uniquely identify a person. Stolen PII is frequently used to commit identity theft and fraud, and should be guarded carefully. Hackers and malware will search a compromised computer for SSN's they can find. As a matter of good practice, you should never keep any unprotected PII on your workstation. For Columbia employees and equipment, any PII should be protected with strong encryption or removed.

The capture, storage and retention of confidential and sensitive information by CUIT employees is permissible only if it is a University business requirement and complies with Columbia University's Social Security Number and Unique Person Number Usage policyData Classification policy and University Requirements for Endpoints Containing Sensitive Data. Even if you a private or student user, it is still highly advised to identify and secure your data with comprhensive tools and encryption.

The "Workstation Security Best Practices - User Guide" provides ten technical and procedural steps for securing your computer and work environment. Please read the document and adhere to these best practices.

This page provides information and software tools to identify, remediate, and secure sensitive personally identifiable information (PII) that could be resident on your computer.

The first step to securing your computer against PII theft is finding and Identifying any instances of PII on your workstation. The following tools can help you scan your PC, and some even help you perform remediation (delete or encrypt) the data so it's no longer sitting out in the open.

CUSpider (required for SSN identification and remediation)

  • CUSpider Website
  • Use: Identifies files that contain SSN
  • Cost: Free/Open Source
  • Included on certain staff PCs as part of the CUIT standard image
  • Supported by CUIT

CUSpider scans a computer for Social Security Numbers, produces a list of files, and provides options for you to take immediate actions for remediation.

CUSpider is a modification and repackaging of Spider2008 version 4.0.2 (Latrodectus), an open-source program PII-scanning program developed by Cornell University and Wyman Miles (that is also listed below). CUSpider has been customized for Columbia University usage.

Verify each file that CUSpider finds. Due to the method CUSpider uses to discover potentially sensitive files, CUSpider may produce false alarms. Each file must be opened and examined before decisions can be made concerning what actions must be taken.

CUSpider is only available for PC 's running Windows XP Service Pack 2, and requires .NET 2.0 or higher installed.

For Columbia University Central Administration areas there is a separate version of the Spider software for centralized SSN scanning. For more information on the centralized Spider scanning software, please contact the CUIT Security Office (CISO) at security@columbia.edu.

OpenDLP

  • OpenDLP Website
  • Use: Identifies files that contain SSN via centrally-managed deployment
  • Current Version: 0.4.4
  • Cost: Free/Open Source
  • Not supported by CUIT

OpenDLP is another open-source alternative, though more strongly geared towards a centrally managed, server-client environment. It can push out scans over network shares and to any Windows Domain connected computer, even without a pre-installed client agent. It has a much lighter memory footprint than Spider or CUSpider, though it does not posses the ability to scan as many specific types of files as either.

This program is NOT supported by CUIT.

Spirion

  • Spirion Website
  • Use: Enterprise-level PII scanning program, with centrally-managed server software and proprietary algorithms to reduce false positives
  • Current Version: 5.7
  • Cost: Enterprise costs contingent on size of deployment. Home version for $40. Free Personal Version is Free
  • Not supported by CUIT

Spirion is an enterprise level PII scanning application and DLP manager. It uses proprietary algorithms to dramatically lower the false positive rate, and includes a centrally-managed command and control server.

This program is NOT supported by CUIT.

The purpose of remediation is to rid your computer of any exposed Personally Identifiable Information (PII) by either redaction or secure deletion. The settings included in this distribution of Spider specifically search for only one type of PII, Social Security Numbers.

As you go over each of the search results, ask yourself two key questions:

The ideal method for eliminating the risk posed by PII/SSNs is to securely delete the files containing them. Securely deleting a file differs from "regular" deletion in that it overwrites the physical area of the disc where the bytes comprising the file were stored. Overwriting those specific bytes ensures that the file cannot be retrieved or recompiled after deletion by most forensic or retrieval programs. CUSpider offers a powerful Secure Erase option (accessible from within the search results) that is recommended by the CUIT Infosec team as the primary means of securing exposed data.

If you find that you do require the file for your duties, consider redaction, or removal of just the PII/SSN, as an option. Removing the PII/SSN from the file provides an acceptable measure of security while also letting you keep the rest of the file. CUSpider provides a redaction option for a number of file types from within the application.

If you find you do need the PII/SSN itself for your work, you must encrypt the file. Please consult this webpage of recommended encryption software for the solution that best balances your duties with the university's security concerns. You can also contact us at cuit-infosec@columbia.edu for consultations on how best to mitigate the risk.

According to Columbia University policy, any sensitive data, such as PII, that must remain on University workstations should be encrypted with 256-bit encryption (at minimum). Policy also requires that any files containing sensitive or confidential information must be encrypted and password protected before being transfered to another party via email or any file transfer method.

The following tools can help you secure your data and meet University standards.

Contents