Like most state universities, Indiana University maintains large volumes of sensitive information, including healthcare data, social security numbers and financial data. As faculty, students and staff increasingly use portable laptops and other mobile devices, the risk of data leakage grows. For Tom Davis, the university's chief security officer, having a way to locate, delete and secure confidential data is vital to the information protection program. In this interview with FierceCIO, Davis offers his insights on the tools needed to safeguard the university's information assets.

FierceCIO: What are the biggest security issues facing your organization?

Tom Davis: The protection of sensitive information, regardless of where it is stored, remains one of the top challenges we face. This is especially true as our customers move to smaller more powerful laptops instead of traditional desktop systems. These portable devices are at higher risk of loss and theft, so we need to take every precaution to protect the information they contain.

FCIO: Is there anything unique or particular to the university environment that makes tools for locating and securing sensitive data particularly critical?

Davis: Historically, responsibility for information technology systems has been decentralized in higher education, resulting in distributed caches of sensitive information. Most of these systems existed long before Enterprise Resource Planning systems were deployed centrally, and long before many institutions moved away from using SSNs as primary keys to identify faculty, staff and students. Now that most universities have ERP systems in place and have moved away from SSNs, scanning tools help identify and secure this type of information.

FCIO: What was the main reason for deploying the data protection solution you chose? 

Davis: We humans are digital pack rats! What's the first thing we do when we buy a new computer? We transfer all of our existing files to the new computer and then begin creating even more files. We never have to worry about running out of space since it is likely our new device has more storage capacity than the one we are replacing.

How many of us can say without a doubt that none of these files contain sensitive information? Our faculty, staff, and students are extremely busy people, so we can't expect them to manually inspect the hundreds of files for Social Security Numbers and other sensitive data. Identity Finder helps efficiently and effectively find, delete and secure sensitive information.

Identity Finder is very easy to use and manage. It also produced very few "false positives" and it allowed us to provide the same solution for personal and enterprise computers. We also found Identity Finder's help in providing a solution that fit our needs extremely beneficial.

FCIO: Is it difficult to make the business case at your university for investing in security technologies?

Davis: Indiana University's leadership understands the importance of information security and privacy. Therefore, it has been relatively easy for us to make the business case for security technology investments. We must be able to identify where sensitive information is stored before we can take steps to protect it. "Identify" is the first step in our "Identify, Inventory, Dispose, Secure, Stop and Think" security awareness campaign. Our business case referred to this campaign and described how Identity Finder would help us accomplish those goals. 

FCIO: To what degree is regulatory compliance a driver for deploying this kind of solution?

Davis: Indiana University is essentially a small city, providing a broad range of services to its community. These services include health care facilities, financial services, restaurants, hotels, book stores, athletic events and so on. Therefore, we have many compliance obligations, including industry standards such as PCI-DSS, state disclosure laws, and federal laws such as HIPAA and GLBA. I wouldn't say compliance is driving the adoption of this kind of solution--concern for the privacy and security of individuals and the university is paramount--but it is definitely another useful tool in our tool belt.

FCIO: Do you have a way of showing that this technology has reduced your risk of data leakage and identity theft?

Davis: Useful security metrics are very difficult to gather and measure, in large part because it's hard to prove a negative. In other words, it's impossible to say, "We haven't experienced a significant data breach, and that's because we have been using product X." What I can say is that anecdotal evidence--as reported by our customers--shows that Identity Finder has been valuable in identifying many unnecessary files that contain critical information.

Related Articles:
Grocery chain issues warning about tampered payment terminals 
Data breach laws, e-discovery increase compliance duties 
Server containing patient information hacked to host Call of Duty