Data Protection of Sensitive and Confidential Information

Data Discovery

Data discovery involves identifying and locating sensitive or critical data, whether structured or unstructured, within CU Applications, Oracle, MS SQL Server, MySQL Databases, User devices such as Laptops and Desktops, Network-Attached Storage devices, Fileshares, and Cloud collaboration systems. Data Discovery ensures compliance with CU IT Policies and helps prioritize protection measures by uncovering where sensitive information resides and how it's accessed.

Data Classification

Data classification organizes data into categories based on its sensitivity, which is defined in CU IT Policies. https://universitypolicies.columbia.edu/content/data-classification-policy. Classifying the data within an application enables effective access control, prioritization of security resources, and compliance with regulatory standards, ensuring that sensitive information is appropriately safeguarded.

Data Loss Protection (DLP)

DLP is a security strategy focused on preventing the unauthorized transmission or exposure of sensitive data. It employs policies, rules, and monitoring tools to detect and block attempts to access or share confidential information, safeguarding against data breaches.

Data Masking

Data masking involves obfuscating sensitive data by replacing it with fictional but realistic values. This is commonly used in non-production environments, like testing or training, to maintain data security while allowing functionality and usability.

Data Encryption

Data encryption transforms readable data into an encoded format using cryptographic algorithms, ensuring it is only accessible to authorized parties with the appropriate decryption keys. This protects data in transit and at rest from unauthorized access or breaches.

Data Destruction

Data destruction involves permanently erasing or physically destroying data to prevent its recovery or misuse. This ensures compliance with privacy regulations and safeguards sensitive information at the end of its lifecycle, mitigating potential risks from residual data.

 

CU Used Tools and Services

 

  • Data Encryption Tool Consultation
    • Provide advice and instructions on the best encryption tools and the best practices for sharing and storing data securely.
    • https://www.cuit.columbia.edu/handling-pii/file-encryption-tools
    • Email DLP
      • Proofpoint
        • Filtering outgoing emails for numbers similar to Social Security Numbers and identical to credit card numbers.
    • Cloud DLP
      • Proofpoint
        • Detecting numbers similar to Social Security Numbers and identical to credit card numbers and removing sharing.
    • EndPoint Scanning (PC Only)
      • CU Spider is used on a need-to-scan basis to scan single Windows Endpoints or groups of CUIT-managed endpoints for numbers similar to Social Security Numbers and credit card numbers.
      • Reporting on findings to endpoint users presumptive data owners about university data classification and encryption policies and the files they have requiring redress.
    • Data Anonymization and Test Data Management
      • Mage (Mentis) ( For Oracle, MS SQL Server, MySQL, Databases)
        • Discovery of sensitive and confidential data
        • Sensitive Data Discovery and Catalog: Uncover sensitive data locations across  Oracle, MS SQL Server, and MySQL Databases Sensitive Data Discovery tool. Can discover data in structured, semi-structured, unstructured, on-premises, or the cloud.
        • Static data masking: Static Data Masking (SDM) permanently replaces sensitive data with fictional but realistic values in a non-production environment. It ensures that sensitive information is not exposed during development, testing, or training while maintaining the data's usability
  • Key Features:
    • Data is physically altered in the database or system.
    • Irreversible masking, ensuring complete protection.
    • Ideal for creating safe replicas of production environments.                             
  • Dynamic Data Masking
    • Dynamic Data Masking (DDM) is a real-time method of obscuring sensitive data based on user roles and permissions. It dynamically alters the data at the query level, ensuring that authorized users see the original data while unauthorized users or applications see a masked version. This approach is commonly used in live production environments where sensitive data must be protected without disrupting operations.
    • Key Features:
      • Data remains unchanged in the database.
      • Masking occurs only when data is retrieved.
      • Suitable for environments with varying user roles and access levels.
      • ​​​​​SQL Query monitoring on sensitive data elements: Use the tool to monitor user’s SQL statements made on sensitive data tables and fields