Identity Finder Search and Remediation for Windows

To combat the growing number of security threats today, Penn State requires that each of its units and campuses identify, remove, and/or protect Personally Identifiable Information (PII) on all Penn State desktops, laptops, and servers. PII includes sensitive information such as Social Security Numbers, credit card numbers, driver's license numbers and bank account numbers. To aid in this effort, Penn State has obtained a university-wide license for the Identity Finder software.

It's important that you read and follow these instructions to properly remediate your computer. This document also assumes that the Identity Finder software has already been properly installed on your computer by your IT support staff. 

• Each user on a shared computer must run their own scan.
• Eudora users need to pay special attention during the remediation phase as mentioned in the note under Remediation.
• The Identity Finder setup for the College of Ag Sciences will add a test file named IF_Test.txt containing data that looks like PII. This file can be ignored.

Terms Used

• Personally Identifiable Information (PII) - Refers to information that can be used to uniquely identity, contact, or locate a single person or can be used with other sources to uniquely identity a single individual. Examples of such information are Social Security Numbers (SSN), Credit Card Numbers, Drivers License Numbers, and Bank Account Numbers that are associated with a person’s name or identity.
• Client - Refers to the Identity Finder program you are currently using.
• Results Pane - Located on the left of the Client, contains the results of a scan.
• Preview Pane - Located on the right of the Client, contains a preview of the currently selected file.
• Match - Located in the Results Pane, each row is a possible PII match. Could be a file, email message, database table, etc.
• True Positives - Matches that do contain PII that must be remediated.
• False Positives - Matches that have been incorrectly marked as containing PII.
• Remediation - The process of reviewing the scan results and securely and permanently removing PII.

Scanning - Local Computer

If you are scanning your files on a computer for the first time, please follow the instructions for cleaning your offline file cache before scanning.  

1. Remove all CD/DVD’s from your machine, otherwise they will be scanned. CD/DVD's do not need to be scanned unless they contain your data and files.
2. If you have backup drives or flash drives with data, they should remain on and attached and should be scanned.
3. Use the icon on your Desktop to launch Identity Finder (Also under Start > All Programs > Identity Finder).
4. The first time you start this application, you will be prompted to create a Profile password. This can be any password that you want and will remember but because of security issues, this should not be your AG or PSU password (see Scheduling Scans below). This password is used to save the scan results so that you can come back to them later and also to speed up subsequent scans. The software will not re-scan anything that has been previously scanned and has not been modified.
5. If a wizard pops up with choices, click Advanced.
6. Once the program opens and displays the Identity Finder window, click the Start button to begin a scan.
• If you receive an error during a scan "Outlook is not your default email client", click OK to continue. You do not want to change your default mail client.
• When the scan first starts, it may appear to be hung / not scanning for up to 5 minutes. This is normal.
• Scans can take less than an hour or up to an entire day to complete. After the initial scan, subsequent scans will only check new or updated files and should take less time.
• Your local drives will be scanned including temporary browser files (Firefox and Internet Explorer) and email files.
• If you Close the program or Log off your computer without saving, your scan results will be LOST, forcing you to restart a scan.
• You can Minimize the program while it is scanning and continue using your computer but you should expect your computer to run slower.
7. If you minimized the program, you will get a popup in the system tray when the search is complete. You can click the popup or the Identity Finder icon in the system tray to launch Identity Finder.



8. When the search is complete, save your results before you move on to remediation. Saving your match data allows you to come back to it later for remediation without rescanning the entire computer again. This is especially helpful if you have a large number of results. To save your results, click the save / disk icon. Save the file wherever you normally save your files and give it a name such as PIIScan.idf or the date of the scan. You can then later come back to the client, open the file that you just saved, and continue remediation from where you left off.
9. You should now move on to remediation before repeating the scanning process for any other drives.

Remediation

Once the scan is finished, you will be presented with a window containing a list of all files found that could contain Personally Identifiable Information (PII). Not all of these files will contain true PII; some will contain data that was incorrectly identified (a false positive).

The easiest way to determine if a file truly contains PII is to click the match and view the contents of the file in the Preview Pane (on the right side of the window). The preview pane will show you a preview of the match or matches within the file, with the suspected match highlighted. By viewing the file this way, you should be able to use your best judgment to determine if the number is true PII, or if it is a false positive.

Eudora Users (and past Eudora users who keep old Eudora data):

If you use Eudora for mail and Identity Finder locates PII in an email message, you can remediate your Eudora mailboxes with the lastest version of Identity Finder. Two details to be aware of:

1. Eudora must not be running when remediating.
2. When Identity Finder deletes an email message, every email message that follows the date of the deleted message will have a status of "?". You can highlight those messages and change their status to "Read" to remove the question marks.

A false positive could be things like ISBN numbers, research data, Penn State budget and account numbers, Zip Codes, or random strings of numbers that appear in the background code of some files.

If you are still unsure whether the file contains PII, you can double click the file name to open the file and review it. 

If you need assistance in determining which files contain PII, please contact Ag IT Support. You should also contact Ag IT Support before remediating files in system folders like C:\Program Files or C:\Windows.

If the file DOES contain PII, you must perform one of these options:

1. SHRED the file. This will securely and permanently delete the file completely from your machine. This is the best option and will ensure that the PII is unrecoverable if your computer were to be compromised. If you no longer need the file, please select it or check the box next to it and click the "Shred" button.

   Special care should be given to data on shared drives as well as databases that may require remediation. Shredding files on a server or shared drive should be done in consultation with other associates who might have a need for those files. If you are not the owner or primary user of a file, please ask before you shred! Database files (such as Filemaker and Microsoft Access) that you wish to keep should be manually cleaned. Shredding a database file will permanently delete the file. 
   
   If you attempt to shred a file and Identity Finder displays a message indicating that it was unable to shred it, check that the file is not read-only. There is a checkbox in the bottom right corner of the Identity Finder window to turn off the read-only setting.

2. If the file was saved in Office 2007 (XML-based format) or as a text file, you can SCRUB the file. This is the process of overwriting or redacting the PII data from the file without losing the rest of the information in the file. Only use this option if it is necessary to retain the rest of the data in the document.

3. CLEAN the file manually. This option involves manually editing and saving the file. Only use this option if it is necessary to retain the rest of the data in the document.
• To clean the file, double-click to open it.
• Delete the PII data from the file.
• Choose "File > Save As" from the menu and rename the file to indicate that the PII was removed. We recommend that you use a file name such as "OriginalFileName_PII-Removed" so that you can easily tell which files have been cleaned.
• Return to Identity Finder and Shred the original file (see Option #1 above for steps).

If the files DOES NOT contain PII, you can mark it to not be scanned/reported again:

IGNORE the file if you are sure that the file does not contain PII. The program will remember this file, so it will not show up the next time you scan your computer.

1. To ignore the file, click the file name and click the "Ignore" button at the top of the window.
2. In the drop-down list that appears, choose the first option: "This Item Location"

When you are finished with all the files in the list, you are done with the remediation. Simply click the X button to close the window. At this point, you can scan any other external or mapped drives that you may have or are responsible for scanning.

• It is important that you clear the scan results window. Any items left in the scan results window will be redisplayed the next time you scan. 
• Once you are done with remediation, you can delete the results file that you might have saved.

---------------------------------------------------

TIP - Speed Up Remediation

• Sort your scan findings using the column headings to group similar findings and remediate multiple items at a time.
• Sort by "Identity Matches" to group findings with the same PII information.
• Sort by "Size" to group findings that might be the same file but in different locations.
• Click the Collapse All Rows button to make the results easier to scroll through, use the + and - to toggle match results for files containing multiple matches.
• Select Multiple Files by either Ctrl + Click each row, Shift + Click first and last rows or click each check box next to the file name.
• Use the Delete Key on your keyboard to Shred files.

----------------------------------------------------

Scanning - Other External, Network or Mapped Drives or Memory Sticks

1. Close the Identity Finder client application if it is open.
2. Open your My Computer icon or Windows Explorer.
3. If necessary, navigate or connect to the drive or folder that you want to scan.
4. Right-click on the drive or folder, then click Identity Finder, Search.
5. If you minimized the program, you will get a popup in the system tray when the search is complete. You can click the popup or the Identity Finder icon in the system tray to launch Identity Finder.
6. When the search is complete, save your results before you move on to remediation. Saving your data allows you to come back to them later for remediation without rescanning the entire computer again. This is especially helpful if you have a large number of results. To save your results, click the save / disk icon. Save this file wherever you normally save your files and you can give it a name of PIIScan.idf or the date of the scan or whatever you like. You can then later come back to the client, open the file that you just saved and continue remediation from where you left off.

NOTE: If you close the program or log off your computer without saving, your scan results will be LOST, forcing you to restart the scan process.

You should now proceed to remediation (see above steps).

Additional Resources

• AgIT training video sessions on Identity Finder
• Frequently Asked Questions about PII Scanning
• Schedule an Identity Finder Scan for Windows
• Remediating Personally Identifiable Information - PSU Security Operations and Services
  

(Special thanks to the AERS IT Staff and IT in Liberal Arts for allowing us to copy their documentation.)