I don't envy you (Score 1)

I too work at a large university. I don't know if your experience is similar to mine. If it is, then given you're even posing this question I bet your university cannot formally define what is considered restricted or sensitive data. Some things are easy, like SSN. Some things are not. There are lots of grey areas. There are lots of kinds of data at a university, and there are potentially dozens or more formal audit requirements that might need to be met in some cases, but not others. Sometimes a given "piece" of data is itself not considered restricted, but two or more different non-restricted pieces when together are. It gets very complex, depending on how thorough you want to be. And that's just death around a university, where people love to debate the complexities ad nauseum, and no one can or will just say, look, THIS is restricted data. THIS is where we are starting. *I* am making the call because I can, or else because someone has to. If we want to add to this list, or debate the subtleties down the road, fine. But get busy with THIS list NOW. And so my first point: how thorough do powers-that-be want you to be? And is there a definition clear enough to program a computer by that specifies that level of thoroughness? Or when you ask precise questions, do you find it hard to get anyone who says: I am responsible for making the call, and the call is YES|NO that is|isn't restricted data. Instead, you get a lot of longwinded talk, vague references to long-winded say-nothing vague policies that don't, ultimately, answer your questions either about what is or is not restricted data? Yeah, I thought so. Sorry to hear it. Second point: is this an interim damage control task, but the real task of getting a handle on sensitive data going forward is already well underway? If not, then you are again on a fool's errand. This task is going to be time-intensive, no matter how you do it, no matter what tool you find or what set of scripts you roll yourself. Why bother, then, putting the horses back into the barn until the gate is fixed? Or probably more aptly, why bother making the horses stand where you wish there was a barn until one is built there? Unless you have, say, transcripts or something sitting on a webserver, time is far better spent on building a barn. Third: someone already raised this. It goes hand-in-hand with the above point. If the groups around campus aren't made responsible for how they handle restricted data, it's hopeless. A university environment is generally too chaotic and out of control (I believe the euphemism is "collegial") to manage it any other way. But hey, what's the first thing that will happen when you tell groups they are responsible for handling sensitive data? Yep, you guessed it - what is considered restricted/sensitive? And I bet your university can't answer that. So, yes, I don't envy you. Good luck.