Calendar A-Z Index School of Arts and Sciences University of Pennsylvania


Solutions and tools to help users identify and mitigate PII.

A newbie's guide to cloud computing at Penn

What is cloud computing?

Cloud Computing refers to services that are performed away from your own computer and out on the Internet. The Internet is “the cloud” because when you use these services, you don’t really know where your data is and you (usually) don’t care, as long as it gets delivered to your computer or tablet or phone when you ask for it.

Physical Security

The physical security of the sensitive data in your office needs your attention just as much as the cyber security. Locks should be employed wherever possible -- on the filing cabinet, on the desk, on the door to the office, on the door to the suite. You should even lock your computer to the desk if you can.


If you need to keep PII on your computer because of your job or your research, you may need to protect this data with encryption.

Encrypting data ensures that when you are not using this sensitive information it is stored as meaningless and unrecoverable gibberish.

Secure Transmission of Data

The most important thing to understand about sending and receiving data is that ordinary old everyday e-mail is not a secure way to do it. E-mail messages can be intercepted while they travel on the internet, and if the message is not encrypted (and most of the time, it is not) anyone who intercepts it would be able to read it.

Security and Prviacy Impact Assessment (SPIA)

SPIA is designed to give every department and center the opportunity for a one-on-one consultation with an expert on information security at least once a year. One of the things we focus on for SPIA is whether your computers or your paper files might contain sensitive data, whether by design or by accident (for example, old grade sheets at one time used Social Security numbers as student identifiers). An experienced LSP can often help you find old stores of data that you didn't even realize still existed.

Shredding Stuff

Securing paper documents means shredding them if they are no longer needed. It is not safe to put paper documents in the trash, or worse, the recycling bin, without taking care that they are securely shredded first!

In general, if a document containing sensitive data is printed just for convenience or reference, it should be shredded as soon as the need for the printout has passed.

Privacy Concerns

If you are already familiar with Identity Finder, you may know that it reports information from your computer to a "console," an SAS-owned server that collects information and helps us track the implementation of Identity Finder across campus.

The information stored in the console never includes the sensitive data; it contains information about where sensitive data was found, and what was done about it (ie, was it securely deleted or "shredded," was it moved to a secure file server, etc).

Alternatives to Identity Finder

Identity Finder was licensed by SAS because after extensive testing of comparable products in the marketplace, it was found to be the most effective and user-friendly way to identify sensitive data in a wide variety of formats.

However, it's not the only software tool that can scan a computer for social security numbers (SSN's), credit card numbers, bank account numbers, etc. Cornell University makes available an open-source tool called Spider that runs on Unix/Linux computers as well as Windows and Mac.

Identity Finder

Identity Finder is a software tool that searches a computer for sensitive information, including social security numbers (SSN's), dates of birth, credit card numbers, bank account numbers, and more. It can search through a wide variety of file types, including Word docs, Excel spreadsheets, and even PDF's. It is available to all SAS faculty and staff. When Identity Finder scans a computer for PII, users are often surprised at the results -- many people who believed that they had no sensitive data on their computers find some in old files or browser caches.


In general, with sensitive data we always suggest that you work your way through these possible solutions, in order.

* Securely Delete
* Convert
* Truncate
* Protect on a server
* Protect with extreme caution on a local device

Syndicate content