Purging Sensitive personal information from Non-Central Systems
Deadline 30 September 2006
ALL UNIVERSITY EMPLOYEES ARE REQUIRED TO SIGN the Individual SSN Attestation Form ( Forms )Removal from Usage or Protection of SSN’s (Social Security Numbers) by September 30, 2006. (Memo to the College). The assurance that sensitve personal information is secured is your responsibility. We will assist, but not do this for you.
Determining the presence of sensitive personal data stored electronically on your systems:
You may think you know where you have sensitive personal information stored on your computer. The university has provided a tool to help you search your computer. The program (Spider) was developed at Cornell university.
All – Write down the computer network name you are running the program on the Individual SSN Attestation Form. This is critical. Attestations will not be accepted unless this information is provided. This helps us assure 100% compliance.
Windows 2000, XP, 2003 clients (These are the same instructions that ACNS provides. I tried to put it into a "step 1, 2, 3" order)
Step 1
- Windows Users right-click on "My Computer" icon, select "Computer Name" tab. It is not neccesary to include "cas.colostate.edu" if this is part of the name. The owner would simply write down "Daquisto" in the example below.
Follow steps 2 - 9 I have outlined, or, go to the ACNS instructions. They are the same.
Step 2 – Delete temporary files and clear the cache on your machines (this will decrease the time for scanning and number of "False Positives")
- Right Click on the Start Button, Left Click on "Properties". Select "Customize" Select either "Clear" or Clear List". Close the Window.
- Open your Web Browser(s), and dleete any temporary files (IE - Tools, Internet Options, "Delete Files". Make sure "Delete Offline Content" is selected; Firfox/Mozilla/Netscape - Tools, Options, Clear Cache"
Step 3 – Ensure you . Net 1.1 is installed at a minimum
- To ensure you have the latest .NET 1.1:
- Go to http://windowsupdate.microsoft.com
- Click on the custom button
- After your system has been analyzed, click on the Software, Optional() area on the left of
the browser and check Microsoft .NET 1.1 (it may say something like .NET 1.1 framework).
- Click Install Updates
- If you did not have .NET 1.1 installed you will have to:
- Go to http://windowsupdate.microsoft.com
- Click on the Express button
- After your system has been analyzed, click on the Install Updates button
When the download and installation is complete you will have to restart your computer.
Step 4 - Download Spider to your computer and install it (Get Spider program)
Step 5 - Adding CSU and AgSci specific registry settings (Important - Install Spider before you add these registry settings).
- Download and save the registry entry onto your desktop. (Download zipped registry file here)
- Double click to "unzip" the file to your computer.
- Double click on the file ( spiderv3agsci.reg ) and accept the changes it will make.
Step 6 - Run Spider.
- Spider scans files with builtin expressions to match credit card numbers and SSNs in xxxxxxxxx format. ACNS added a regular expression to match any consecutive sequence of numbers exactly nine digits long within the valid range of SSNs (starts with a number less than 722). This increases the number of potential hits, many of which will be false positives.
Step 7 - Use Spider Log Parser to delete results with "0" value (false positives) and interpret the results.
- Download and save the Log Parser onto your desktop. (Download zipped Parser program)
- Double click to "unzip" the file to your computer.
- Double click on the file ( SpiderLogParser.exe ).
- Unless you have saved your "Spider.Log" elsewhere, simply select teh "Parse Log File" button and select "OK".
- NOTE: Each time you run Spider and the Parser program, it APPENDS your data. Delete the log file(s) before running it each time to avoid duplicate results.
Step 8 - Find the log files
- The default location for the files is in "C:\". Double clink on "My Computer" and select the "C" drive.
- The log generated in Step 5 is named "Spider.log" .
- The log generated in step 6 is named "Parsed.log". Some zero values may incorrectly report the absence of SSN. To be absolutely sure, check the Spider log.
Step 9 – Look at the file names generated in the log file, find them on your computer. (ACNS documentation on how to interpret results) When you find file with Social Security Numbers on them, you have a few options.
- Manually edit and delete the sensitive information - remove the social security numbers within each file.
- Burn the files to a CD and lock the CD in a drawer in the same manner you maintain sensitive paper reports. Make sure you label the CD so you don’t lose track of the sensitive information. Delete the file from your computer
- Delete the file entirely with no data back-up.
- Encrypt the data on your computer. (As with any file encryption scheme, TrueCrypt carries the risk of permanent loss
of data if the encrypting password (or “key”) is lost. Use with GREAT CARE).
When deleting files, DO NOT delete system files. If you have a question about whether a files is a system on or not, please contact me.
Linux and MacIntosh clients
Spider for Mac
Spider is also available for Windows and Linux. Mac OS X computers can be mounted as shares on a Linux host and scanned remotely.
Useful Links
- For detailed, definitive answers to most questions, please visit the univeristy web pages
- To schedule someone to come help you with with Spider, please contact
- Please look at the scheduling calendar to check for available times. Scanning and looking through your files may take up to two hours (depending on the amount of data you have stored.
