The NextRequest Risk Module is a risk assessment tool that will scan your documents to try to determine the likelihood that they contain sensitive information. This article provides information on how this new module works.
About the NextRequest Risk Module
NextRequest uses machine learning and pattern matching to enhance and safeguard your own manual review process, helping you to understand, identify, and mitigate your agency’s risks around the unintentional release of sensitive information.
NextRequest will automatically run a scan for sensitive data on all documents created on or uploaded to your NextRequest portal. These scans use built-in data identifiers to analyze the documents to determine whether or not they contain sensitive information.
Data Identifiers
Using a set of default data identifiers, NextRequest looks for:
- Credentials: AWS (Amazon Web Service) secret keys, OpenSSH private keys, PGP (Pretty Good Privacy) private keys, Public-Key Cryptography Standard (PKCS) private keys, PuTTY private keys
- Financial Information: Bank account number, Credit card expiration date, Credit card magnetic strip data, Credit card number, Credit card verification code
- Personal Health Information: Drug Enforcement Agency (DEA) Registration Number, Health Insurance Claim Number (HICN), Health insurance or medical identification number, Healthcare Common Procedure Coding System (HCPCS) code, National Drug Code (NDC), National Provider Identifier (NPI), Unique device identifier (UDI)
- Personally Identifiable Information: Birth date, Driver’s license identification number, Electoral roll number, Full name, Global Positioning System (GPS) coordinates, Mailing address, National identification number, National Insurance Number (NINO), Passport number, Permanent residence number, Phone number, Social Insurance Number (SIN), Social Security number (SSN), Taxpayer identification or reference number, Vehicle identification number (VIN)
How the NextRequest Risk Module Determines Severity Level
Using the findings produced by the sensitive data scan, a severity score is assigned based on the type and number of occurrences of sensitive data. In the event that NextRequest detects multiple different data types, it will return the highest severity level for that document.
Credentials
| Data Type | 1 Occurence | 2 to 99 Occurrences | 100 or More Occurrences |
|---|---|---|---|
| AWS secret keys | High | High | High |
| OpenSSH private keys | High | High | High |
| PGP private keys | High | High | High |
| PKCS private keys | High | High | High |
| PuTTY private keys | High | High | High |
Financial
| Data Type | 1 Occurence | 2 to 99 Occurrences | 100 or More Occurrences |
|---|---|---|---|
| Bank account number | High | High | High |
| Credit card expiration date | Low | Medium | High |
| Credit card magnetic strip data | High | High | High |
| Credit card number | High | High | High |
| Credit card verification code | Medium | High | High |
Protected Health Information (PHI)
| Data Type | 1 Occurence | 2 to 99 Occurrences | 100 or More Occurrences |
|---|---|---|---|
| Drug Enforcement Agency (DEA) Registration Number | High | High | High |
| Health Insurance Claim Number (HICN) | High | High | High |
| Health insurance or medical identification number | High | High | High |
| Healthcare Common Procedure Coding System (HCPCS) code | High | High | High |
| National Drug Code (NDC) | High | High | High |
| National Provider Identifier (NPI) | High | High | High |
| Unique device identifier (UDI) | Low | Medium | High |
Personally Identifiable Information (PII)
| Data Type | 1 Occurence | 2 to 99 Occurrences | 100 or More Occurrences |
|---|---|---|---|
| Birth date | Low | Medium | High |
|
Driver’s license identification number |
Low | Medium | High |
|
Electoral roll number |
High | High | High |
|
Full name |
Low | Medium | High |
|
Global Positioning System (GPS) coordinates |
Low | Medium | Medium |
|
Mailing address |
Low | Medium | High |
| National identification number | High | High | High |
|
National Insurance Number (NINO) |
High | High | High |
| Passport number | Medium | High | High |
| Permanent residence number | High | High | High |
| Phone number | Low | Medium | High |
| Social Insurance Number (SIN) | High | High | High |
| Social Security number (SSN) | High | High | High |
| Taxpayer identification or reference number | High | High | High |
| Vehicle identification number (VIN) | Low | Low | Medium |
What is Flagged Inside Each Document Other Than Severity Level
By clicking on the severity risk tag (high risk, medium risk, etc.) on the Document Dashboard, the new Request page, or in RapidReview, a small window will show you more information about that particular document. Findings information including what specifically was flagged (ie. phone number, credit card number) and how many times that piece of information was found in the document (5 phone numbers, 3 credit card numbers). This window will also show you more information about the document, such as the request number, file size, visibility, file type, and upload date.
On the document page, this information will be displayed next to the document on the top left side of the screen.
Reviewed/Not Reviewed
This feature allows admin users to verify whether or not a document has gone through proper reviewing channels and mark that document as reviewed. This in no way affects the document's risk level at this time, and a document will have both states (review state and risk level). Simply put, it is another tool to help collaborate and communicate a document’s ability to be published or released.
Where to Find Risk and Review Tags
Almost anywhere you see a document in your portal you will see risk and review tags associated with them. Here are all the locations in your portal where you can see Risk Module information:
- Document Dashboard: This is the place where you can see a bird's eye view of all documents across your portal. You can filter by visibility, review status, and risk level.
- New request page: On our new request page, you can see all risk tags on the bottom of each document card. Clicking on a risk tag will open the document findings window. Clicking on the review tag allows you to swap between reviewed/needs review. You can also filter your documents here by visibility, risk level, and review status. Risk Module information is not available on the legacy request page.
- RapidReview: Same as the new request page, all risk and review tags are attached to the bottom of each document card and operate the same way as the request page. Filtering by risk level and review status is not yet available in RapidReview.
- Document page: All risk findings can be found directly on the document view and redact pages on the top left of the screen. On the far right you will find risk and review tags.
NextRequest Risk Module Updates
After a document or set of documents is uploaded to a request, they will be marked with a "pending" tag until those documents have been scanned by the Risk Module. Once a document is scanned, the pending tag will be replaced with the appropriate risk category (high, medium, low, unscannable). Please note, that you may need to manually refresh the page to see the updated tags.
These "pending" documents can still be filtered and viewed just like any other risk level. Pending documents are not able to be marked as reviewed until they have finished scanning.
Supported File Types
NextRequest only scans certain file types. At this time, that means only file formats that contain machine-readable text, such as OCRed PDFs, Word files, email files, CSV and Excel files, and other text-based documents. If a file cannot be scanned due to its file type, those files will be appended with an “unscannable” tag and placed into the unscannable bucket. These files can still be reviewed manually using the review state feature, but will not receive a risk level.
Who Can See Risk Module Features
Only internal agency staff can see Risk Module information. Only admins can access the document dashboard. Only publishers, department admins, and admins can mark review tags as reviewed. Requesters and the public never see any Risk Module information regardless if the document or request is made public or released.
Risk Module & the Ability to Release Sensitive Documents
The Risk Module will still allow documents marked in any severity category or review status to be released like any other document without the need to mark it as reviewed or not having a risk level.
In the new request page, when changing the visibility of documents we provide a ‘risk report’ that gives a quick overview of the risk levels and review statuses of the documents you are about to release. While this does not restrict the user from releasing documents, it gives your agency more insight into specifically what is being released.
Comments
Let us know what was helpful or not helpful about the article.1 comment
This doesn't tell me how to mark a document as being "reviewed".
Please sign in to leave a comment.