General Guidelines for Using Find_SSNs and Find_CCNs

Departments at Virginia Tech are encouraged to use these guidelines as an example.  Departments should develop local usage policies and procedures specifically for their area. Also, please keep in mind that no software tool is perfect. These programs are likely to produce both false positives and false negatives. Some file formats cannot be scanned for sensitive data. No one tool can protect you against sensitive data loss. Use these programs as a part of a larger business plan to address the risk of sensitive data exposure.

1. End users are encouraged to periodically execute these programs and review the generated reports to verify the results. How often the  programs are executed depends on your specific department's policy.  The ITSO recommends running the programs at least once per month, but  you may run it as often as you need.
2. End users should only execute the programs on their user data. On a  Windows PC for example, users should run the programs against their  'Documents and Setting'. Linux, Unix and Macintosh users should run  the programs on their home folders. For example a Unix user named Brad
    would run the programs on his home folder /home/Brad. To reduce false  positives, you may exclude files, folders and file extensions. See the  advanced usage instructions here.
3. If the programs discover sensitive data, there are a few measures  (depending on your situation) that can be employed to safeguard the  data:
   1. If you do not have a business need for retaining the data and  no state or university level document retention policy affects the  data, then you should delete it from the computer with a secure  deletion program.
   2. If you have a business need for retaining the data or if a  state or university level document retention policy mandates that you  retain the data, then use an encryption tool such as TrueCrypt to  create an encrypted space on the computer where the data is stored and  move all of the files that contain sensitive data into the encrypted  area.
4. If technical reasons prevent the programs from running on computer  systems in your department, here are some alternative programs written  by other universities that your department may use in a similar  manner:
   1. Senf - https://source.its.utexas.edu/groups/its-iso/projects/senf/
   2. Spider -  http://www.cit.cornell.edu/security/tools
5. Virginia Tech Find SSNs and CCNs Tool - Find_SSNs and CCNs