Summary

Franklin OIT has adopted the following procedure for the scanning and mitigation of sensitive and restricted data located on network-shared resources such as individual and unit-level network file shares.

The Systems Management Team (SMT) Windows group will utilize campus standard tools to scan network file shares and services in order to identify files suspected of containing restricted data, such as Social Security Numbers (SSNs). These tools will be used to scan individual/personal network shares as well as unit-level group network shares and provide a list of suspected files to send to the unit.

Process

Perform scans on individual and unit shares on a quarterly basis.
Send the report/listing of files identified as containing restricted data to the identified owner or if no owner is identified, the primary contacts for the unit (offman/ctrom and/or head/dir).
From the time of notice, the recipient will have 30 calendar days to mitigate the restricted data or report back that the identification was in error (i.e., a false-positive).
- Individuals or units identifying a file containing restricted data as necessary for business must provide a business case for use and will be expected to fund and use a service built to handle this type of data (e.g., Secure IFS + Secure VDI, Secure Reports, etc.).
- Files that are required for a business process which contain sensitive information that is not required will need to have the sensitive information securely redacted from the file.
After 30 calendar days, SMT quarantines identified files into a directory with restricted access.
- For unit shares, the primary contacts for the unit must identify and provide a list of the individuals responsible for the review and cleanup of the quarantined files to Franklin OIT. Identified users are the only individuals granted permission to view and modify files inside the quarantine location.
From the period of quarantine, the client will have an additional 30 calendar days to cleanup and mitigate the restricted data from the files or identify false-positives.
After the completion of the 30 calendar days for quarantine, SMT removes any remaining files identified as containing restricted data from the server and archives them to disc for a period of 4 months before destruction.

Process Timetable

Item	Timeline	FOIT Actions	Owner/Unit Actions
Scan Shares	Quarterly by Calendar Year	Utilize standard tools to scan individual and unit file shares	None at this stage
Send notifications	Upon completion of scans	Notify Owner/Unit of files identified as containing sensitive or restricted data	Receive and review information provided in email
First Cleanup Period	For 30 days following notification	Process information received from clients regarding false positives or requested deletions Provide clarification to clients who have questions	Remediate/remove data Report false positive
Quarantine Data	30 days after scanning	Quarantine identified files to isolated location Notify affected individuals/units of quarantined files	Review notification and refer back to original message as needed
Second Cleanup Period	For 30 days following quarantine	Provide access to identified individuals for review and remediation of unit shares Process information received from clients regarding false positives or requested deletions Provide clarification to clients who have questions	For unit shares, identify individuals tasked with review and remediation Final opportunity to remediate or remove data in quarantine Final opportunity to report false positive date in quarantine
Archive Data	30 days after quarantine	Archive Files to removable media and remove from the share Label archive media with archival month and year	Archived files may be requested
Purge Archives	4 months from quarantine	Permanently purge the data by destroying the media	Request access to archive files prior to Purge activities