PII Scan and Summary
June 23, 2023
Release Notes
We're pleased to announce the release of our new integration with RapidFire Tools' Compliance Manager GCM. This integration allows us to offer sensitive data scanning, a sensitive data summary, and visual indicators identifying where, among Workplace files, personal identifiable information (PII) is stored. This report is the result of a Compliance Manager GRC deep scan of all Workplace-stored data.
Anyone who needs to securely share and collaborate on files while adhering to compliance requirements will benefit from this integration.
Why is it important to report on sensitive data?
Certain standards, such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), require identification of where PII is stored. Other standards, such as the Payment Card Industry Data Security Standard (PCI DSS) require that some types of information, such cardholder data, be limited to the Cardholder Data Environment and segmented from the rest of the network. Depending on the level of PCI compliance, storage of cardholder data (such as credit card numbers) on drives is strictly prohibited. And the Health Insurance Portability and Accountability Act (HIPAA) require that electronically stored, protected health information (ePHI) be protected in specific manners.
How does integrating Workplace and Compliance Manager GCM help?
Datto Workplace is, among other things, a secure, version controlled, and logged file storage mechanism. As files (.doc, .docx, .xls, .xlsx, .txt) are uploaded from Windows, Mac, iPhone/Android devices, or via web upload, they are processed, scanned, and logged before they're stored in Datto Workplace.
Compliance Manager GRC includes sensitive data scanning; it looks for PII (for GDPR and CCPA), ePHI (for HIPAA), and cardholder data (for PCI DSS).
How does it work?
The Compliance Manager GCM Integration and the PII Scan and Summary that it provides augment the Datto Workplace pre-upload scanner with the Compliance Manager GRC deep file scanner. That scanner looks for PII, ePHI, and cardholder data in files uploaded to Workplace. If any such information is found, the file is tagged, in Workplace, with the specific information type, e.g. Date of Birth, License Number, etc.
When performing a compliance assessment, Workplace Manager users can provide proof of data classification and protection. The integration queries Datto Workplace for all locations of sensitive data as well as which user uploaded the data. Then Compliance Manager GRC presents the findings to the Internal Auditor to determine if there are violations that should be addressed. Any issues will appear in the Plan of Action and Milestones.
With this integration, only newly created, modified, or downloaded files are scanned. The scan occurs when files are changed and/or uploaded to Datto Workplace. This means that during the compliance assessment process, the deep scan is unnecessary and the location and owner of sensitive data is available immediately; you'll have deep scan data available on demand.
How are Workplace files that contain sensitive data identified in Workplace?
Any file in which Compliance Manager has found sensitive data will be flagged with a red icon with a fingerprint on it. Hover over the icon to see the type of information the file contains, as well as a count of how many times that type of data appears in the file.
How do I run the report?
The new PII Summary is available through Workplace Manager (Teams > Team Detail > PII Report Download button) and Workplace (Access the client's Workplace Online > Report > Special > PII Report) interfaces. And as with all reports, you have the option to export and/or schedule this report.
How do I enable this integration?
Just read the How to... section of PII Scan and Summary via the RFT Compliance Manager integration page for details on how to Configure the integration, Find sensitive information information in Workplace-stored files, and Run the report.
NOTE To learn more about the Compliance Manager side of this integration, please refer to this topic in the Compliance Manager GRC help system.