1. Help Center
  2. Info Governance Playbooks
  3. Sensitive Data Clean Up and Monitoring

4. Scoped Review and Decision | Sensitive Data Clean-up and Monitoring

4.1 Activity Summary

Activity Description

At this stage, data has been collected and you will be able to introduce users to the system and familiarize them with the user interface and concepts (user training).

Once familiar with the system you can encourage your users to complete a review cycle of content they have responsibility for, identifying content that should be acted on to achieve the information management goals of the project.

Content that requires action can be exported and passed to the next stage of the project for remediation.

Goals

Demonstrate product utility to stakeholders

Participants

Analyst, Business Unit data owners

Pre-requisites

  • Feature extraction performed on specified location

  • Content location mapped to a business unit

Outputs

A manifest of responsive files or containers that require an action has been exported from ActiveNav Cloud

OR

A review of responsive files that requires an action has been conducted and the list of files has been exported from ActiveNav Cloud.

4.2 Identify Areas of Focus

ActiveNav cloud provides two primary views for visualizing sensitive data results and facilitating review and remediation decisions.

Compliance Home Page

The Compliance home page provides a data map of your Data Centers by grouping hosts by their geolocation. It presents a heatmap of the extent of sensitive data elements for each geographic location. This enables the user to understand where the highest concentrations of sensitive data exist across the organization. 

ComplianceDashboard4

We recommend that users start by using the compliance view to get a broad understanding of the nature and location of sensitive data that has been discovered in each of the geographic locations. Once a location has been selected, the details panel will reveal a matrix of sensitive data element scores. This can be pivoted between score values and actual counts of objects containing each sensitive data element. The element matrix can be exported as a CSV file and can support other related compliance activities such as ROPA statements and the creation of a data privacy impact assessment.

The data element matrix serves as a useful tool to understand where the focus of attention should be when determining the specific location of sensitive data.

In the example below, all the data locations are selected. The matrix on the right-hand side illustrates the presence of each data element through a visual heatmap indicator of red (high concentrations of regulated data elements) and green (low concentrations of regulated data elements). In addition, the score for each data element is also displayed. 

4.3 Identify Responsive Content By Business Unit 

Once the user has a general understanding of the presence and extent of sensitive data across all repositories, a deeper investigation to determine the specific location is supported using the Analyst Home Page.

The recommended approach is to focus attention on a specific business unit, identify the locations of sensitive data within that business unit and conduct a review of the findings using the approach described below:

Analyst Home Page

The Analyst home page provides users with the quickest access to the areas of concern, allowing them to streamline the data being viewed to one or more specific Business Units. Users can filter results by repository type, geographic location, date, and other options.

It allows a user to examine the data from an ownership (Business Unit) perspective which allows the investigation and focus to be at a meaningful level. The goal is to quickly identify the set of containers or files (Hotspots) that contain sensitive data with minimal user input. Users can display any number of Business Units at a time in the same view, including a view of all data and any orphaned content (Content that has not yet been allocated to a Business Unit). Each selected business unit is displayed as a vertical slice. Users can select which Business Units to display / hide from view.

AnalystDashboard1

For each business unit, the user is presented with a series of metrics and a subset of the scoring model together with the ability to filter by repository type or geographic location.

To determine the set of responsive files that contain sensitive information, select a Business Unit (or All Data / No Business Unit),  select any node within the “Privacy” category in the scoring model, depending on the level you want to analyze at. Then choose either a repository type or geographic location. A date filter (and others) can also be applied to the list to further narrow the scope of responsive files. Once the selection is made, hit the Generate Report button.

The Analyst Object report is now displayed, giving you the ability to drill further into the object information returned.

AnalystObjectReport1

If viewing a list of responsive files, further information on the specific sensitive data elements found in each file can be viewed by selecting a file in the list and opening the details panel on the right. This will provide information on the specific features found in the file.

AnalystObjectReport2

If more information or context is required in order to determine if a container or object is responsive, the Analyst Home Page enables a user to explore the items in the context of the information architecture.

For each container or object in the “Hotspot” list, the user can click on the Organization-icon icon, which will navigate the user to a view of the location of the selected container or object within the information architecture.

From here, users will be able to see how neighboring content is scored according to the presence of sensitive data. This allows users to gain an understanding of where the hotspots exist within their content.

The view allows users to navigate through the information architecture and apply filters to quickly visualize where all sensitive data exists.

Now that a responsive set of content has been identified, users can directly export the file manifest into a csv file for further review. They may also leverage the ability of ActiveNav Cloud to conduct a scoped review of the responsive set of content. Reviews can be created for an analyst to review and apply decisions to, based upon the sensitive data content. A stakeholder can review that manifest of the reviewed content (including decisions) and disposition the content as required by their organization. ActiveNav can provide customers with scripts to remediate sensitive data outside of the ActiveNav Cloud application. In addition, third-party applications, or existing workflow automation tools (outside of ActiveNav Cloud) can be leveraged as well.

4.4 Performing a Scoped Review in ActiveNav Cloud on Sensitive Objects 

ActiveNav Cloud performs analysis on the content of objects found in your inventory and assigns scores for a variety of regulatory impact areas. The review process allows you to make informed decisions on remedial action that may be required for individual discovered objects or, for many objects based on advanced filtering.

The review consists of five key steps: selecting objects from your inventory, configuring the review parameters, investigating the reviewed objects, and applying decisions based on findings. Finally, you will approve the review outcomes and use your internal processes to address any identified issues appropriately. It is recommended that stakeholders create a basic strategy outlining what batches are to be reviewed, and the criteria for applying decision mark-ups to specific objects. In addition, the stakeholders should identify the analysts conducting the review and communicate the end goal as it pertains to sensitive data remediation.

Please refer to the Scoped Review KB for further information: Introduction to Scoped Review

The following section runs through an example scoped review process.

4.5 Defining Your Data for Review 

How to select data for your review

Using the Analyst dashboard, select the business unit on which you wish to focus your review. From there, choose which score category is most relevant to your review criteria. 

AnalystDashboard2

Additionally, you can refine your data selection by specifying a repository, geolocation, or host.

Filtering Your Data

To enhance the precision of your review, you can narrow down your data further by utilizing the query builder before generating your report for either objects or containers.

QueryBuilder

You can filter your data by Dates, Size, Object or, depending on your risk threshold appetite, Score. Once you have set your filter parameters, click the Generate Report button.

In the Analyst Object Report window, you can verify that your chosen selection contains the data that you wish to focus on.

AnalystObjectReport3

After reviewing the selected dataset, click Create Review

4.6 Creating the Review

Adding details and your decision options to the review 

In the Create Review dialog, you have the opportunity to add details to your review and define your decision options.

CreateReview

  • Name - Add a descriptive name for your review.

  • Description - The text in this field is auto-generated based on the selected business unit, repository, score and filter values. However, this text can be overwritten or amended by the user if required.

  • Approver - The approver is the person who has the overall responsibility for checking that the review has been completed to the expected standard. When the review has been completed satisfactorily, the approver, and only the approver, will be able to commit the review.

NOTE: Only a user with an Analyst role can be nominated as the approver.

  • Decisions - Decisions are user-definable values that the review team will apply to the objects under review. They should be defined in terms that are applicable to your organization and should be clear for the reviewers to understand. You can define up to 20 decisions and they are automatically assigned a color code to make them easily distinguishable.

CAUTION: Take care when adding decisions as once the review is created, they cannot be amended or removed. You can, however, add additional decisions after the review is created.

Once happy with your selections, click Create Review.

The review creation process can take some time and you will see the appropriate status when viewing the review:

CreatingReviewStatus

When the creation is completed, the status will change to Open and the owner and the approver will receive automated 'Review Ready' emails.

NOTE: The person who creates the review is automatically assigned as the owner and is the sole user authorized to export the result manifest. However, this ownership can be transferred to another user after the review has been created by editing the review details. 

4.7 Applying Decisions to Objects in Review

The different methods of applying decisions to the objects in your review

There are two methods of applying decisions to your review objects. The first is to select the objects you want by checking their boxes, select the appropriate decision, and then click the Apply Decision button. 

ReviewApplyDecision

Selection can be performed on a range of individual objects or by using the check all checkbox in the table header bar.

ReviewDecisionCheckboxes

The check all control will select all objects on the current page. By increasing the number of objects to view in the pagination controls and by applying a combination of sorting and filters, you can use it to quickly apply decisions to a larger number of objects.

NOTE: Decisions can only be applied to 1000 selected objects at a time.

The other method can be used when you want to apply a decision to a large number of filtered objects.

ReviewApplyDecisionFiltered

To use this method, first apply a filter to your review such as files of a certain size or type. In the Decision side bar, you will see the number or records that match your filter criteria. Select a decision and the Apply to Filter Matches button will become available. After you click this, you will see a confirmation dialog and when this is confirmed, ActiveNav Cloud will apply the decision to each included object.

NOTE: Apply to All Filter Matches can apply decisions up to a maximum of 500,000 objects. Please be aware, however, that applying to such a large number will take some time.

4.8 Approving and Committing the Review

How to approve and commit the review

When your team has completed the review, they should inform the approver via your internal process. The approver should then evaluate whether the review has been completed satisfactorily and they accept the decisions that have been made.

SelectReviewForApproval

If the approver deems the review to be complete, they can approve it and commit the review which will 'lock in' the decisions made.

Approval is done on the Review page by selecting the review and clicking Approve from the Actions menu. This will open the Approve Review dialog where the approver is required to provide a confirmation statement.

ApproveReview

Once this has been filled in, click Save and Close.

NOTE: Once a review has been committed, no additional modifications or actions can be taken. Therefore, the approver should ensure that they are completely satisfied with the review before proceeding.

The Review page will update and the review should be assigned a status of Updating.

ReviewStatusUpdating

Once the status changes to Committed, the review manifest will be available for download.

Review Expiry

Reviews have an expiry date which is 14 days after approval. After this period has elapsed, the review will be deleted so it is important that the review manifest is exported before then. Approvers will be sent a reminder email 3 days prior to the expiration date.

4.9 Exporting Your Review Summary and Audit

When your review status changes from Updating to Committed, your review summary and audit will be available to download. To do this, select your review and from the Actions menu, select Export.

ReviewExport

The download is in a zip format which will contain 2 files. The first is a summary file in JSON format which will display the metadata of the review itself.

ReviewSummaryJSON

TIP: JSON files can be opened in a standard text editor such as Notepad.

The second is an audit file in CSV format containing all your objects, the decisions applied to them, and other metadata for your objects.

ReviewManifestCSV

NOTE: Only the review owner can export the review results.

Once the review is complete, a list of objects can be examined by a stakeholder for remediation.

Next Step

The Workflow Integration KBA provides best practices for remediating sensitive data in ActiveNav Cloud that align with your organization’s information governance policies:

Workflow Integration

Export files provide the container or object path and name and additional metadata (Business unit, object type, object dates, repository type, geo location etc.) to provide context for the review for each item.