Overview

Security Categorization (RA-2) requirements for systems that store or process critical or confidential data include 1) use of file encryption or whole-disk encryption software and 2) appropriate use of data loss prevention (DLP) software provided and managed by the Office of the CISO. Currently, the DLP solution provided by the Division of IT is Spirion Sensitive Data Manager.

Appropriate Use

Effective use of Data Loss Prevention software requires recognizing that endpoints and servers operate with different usage profiles and characteristics. This type of active monitoring tool may be inappropriate for some scenarios or information resources. Some examples where DLP software would be inappropriate to be installed include:

  • Workstations used exclusively by individuals who cannot access critical or confidential data
  • Endpoints that cannot reasonably access critical or confidential data (e.g., digital signage, open access workstations, etc.)
  • Ephemeral desktops or systems which do not exist longer than 30 days
  • Servers as described by the Client-Server Model below
  • Servers that do not store data in a format that is readable by the Spirion service (e.g., certain databases, Domain
  • Controllers, binary data formats, etc)
  • Application servers that do not store confidential data directly, but only source code

Contact Information

Request

Information technology professionals may contact security@tamu.edu to request departmental access to the console, obtain the Spirion software, or ask any questions.

Request This Service

Service Details

Scheduled Scanning

By default, the Spirion agent will operate in a passive mode, with a weekly scheduled scan for sensitive information. This cadence can be adjusted as appropriate by each unit.

  • For research workstations with heavy computational or I/O loads or servers that need to support multiple client connections with a high degree of reliability, the client can be installed with no set schedule. Resource owners may request ad-hoc scans during maintenance windows to enable compliance without affecting service performance.

Active Monitoring

When critical or confidential information is found, procedures will be followed to remove, encrypt or secure the data. Alternatively, the data can be classified and tagged. Classified and tagged data will be actively monitored for inappropriate access.

Client-Server Model

In certain circumstances, servers that are used exclusively in a client-server mode, and which do not allow for interactive user sessions, may not need to have the Spirion agent installed if the information resource owner can establish that an active DLP agent has been installed on all endpoints connecting to the server.

It may also be inappropriate to run DLP software on certain servers —especially databases— even if they are known to store confidential information. Instead, access to these servers should be restricted following the principles of least privilege, and endpoints used to access those servers should run DLP software. If appropriate based on risk management decisions, a scheduled scan can be performed in lieu of active monitoring.

Was this page helpful?