The NextRequest Risk Module is a risk assessment tool that will scan your documents to try to determine the likelihood that they contain sensitive information. This article provides information on how this new module works.
What is the NextRequest Risk Module?
NextRequest is using machine learning and pattern matching to enhance and safeguard your own manual review process, helping you to understand, identify, and mitigate your agency’s risks around unintentional release of sensitive information.
How does the NextRequest Risk Module work?
NextRequest will automatically run a scan for sensitive data on all documents created on or uploaded to your NextRequest portal. These scans use built-in data identifiers to analyze the documents to determine whether or not they contain sensitive information.
What data identifiers does the NextRequest Risk Module look for?
Using a set of default data identifiers, NextRequest looks for:
Credentials (AWS secret keys, OpenSSH private keys, PGP private keys, Public-Key Cryptography Standard (PKCS) private keys, PuTTY private keys);
Financial Information (Bank account number, Credit card expiration date Credit card magnetic strip data, Credit card number, Credit card verification code);
Personal Health Information (Drug Enforcement Agency (DEA) Registration Number, Health Insurance Claim Number (HICN), Health insurance or medical identification number, Healthcare Common Procedure Coding System (HCPCS) code, National Drug Code (NDC), National Provider Identifier (NPI), Unique device identifier (UDI));
Personally Identifiable Information (Birth date, Driver’s license identification number, Electoral roll number, Full name, Global Positioning System (GPS) coordinates, Mailing address, National identification number, National Insurance Number (NINO), Passport number, Permanent residence number, Phone number, Social Insurance Number (SIN), Social Security number (SSN), Taxpayer identification or reference number, Vehicle identification number (VIN))
How does the NextRequest Risk Module determine severity level?
Using the findings produced by the sensitive data scan, a severity score is assigned based on the type and number of occurrences of sensitive data. In the event that NextRequest detects multiple different data types, it will return the highest severity level for that document.
Credentials:
|
Data type |
1 occurrence |
2–99 occurrences |
100 or more occurrences |
|
AWS secret keys |
High |
High |
High |
|
OpenSSH private keys |
High |
High |
High |
|
PGP private keys |
High |
High |
High |
|
Public-Key Cryptography Standard (PKCS) private keys |
High |
High |
High |
|
PuTTY private keys |
High |
High |
High |
Financial:
|
Data type |
1 occurrence |
2–99 occurrences |
100 or more occurrences |
|
Bank account number |
High |
High |
High |
|
Credit card expiration date |
Low |
Medium |
High |
|
Credit card magnetic strip data |
High |
High |
High |
|
Credit card number* |
High |
High |
High |
|
Credit card verification code |
Medium |
High |
High |
PHI:
|
Data type |
1 occurrence |
2–99 occurrences |
100 or more occurrences |
|
Drug Enforcement Agency (DEA) Registration Number |
High |
High |
High |
|
Health Insurance Claim Number (HICN) |
High |
High |
High |
|
Health insurance or medical identification number |
High |
High |
High |
|
Healthcare Common Procedure Coding System (HCPCS) code |
High |
High |
High |
|
National Drug Code (NDC) |
High |
High |
High |
|
National Provider Identifier (NPI) |
High |
High |
High |
|
Unique device identifier (UDI) |
Low |
Medium |
High |
PII:
|
Data type |
1 occurrence |
2–99 occurrences |
100 or more occurrences |
|
Birth date |
Low |
Medium |
High |
|
Driver’s license identification number |
Low |
Medium |
High |
|
Electoral roll number |
High |
High |
High |
|
Full name |
Low |
Medium |
High |
|
Global Positioning System (GPS) coordinates |
Low |
Medium |
Medium |
|
Mailing address |
Low |
Medium |
High |
|
National identification number |
High |
High |
High |
|
National Insurance Number (NINO) |
High |
High |
High |
|
Passport number |
Medium |
High |
High |
|
Permanent residence number |
High |
High |
High |
|
Phone number |
Low |
Medium |
High |
|
Social Insurance Number (SIN) |
High |
High |
High |
|
Social Security number (SSN) |
High |
High |
High |
|
Taxpayer identification or reference number |
High |
High |
High |
|
Vehicle identification number (VIN) |
Low |
Low |
Medium |
How do I know what is flagged inside each document besides severity level?
By clicking on the severity risk tag (high risk, medium risk, etc.) on the document dashboard, the new Request page, or in RapidReview, a small window will show you more information about that particular document. Findings information including what specifically was flagged (ie. phone number, credit card number) and how many times that piece of information was found in the document (5 phone numbers, 3 credit card numbers). This window will also show you more information about the document, such as the request number, file size, visibility, file type, and upload date.
On the document page, this information will be displayed next to the document on the top left side of the screen.
What does reviewed/not reviewed mean?
This feature allows admin users to verify whether or not a document has gone through proper reviewing channels and mark that document as reviewed. This in no way affects the document's risk level at this time, and a document will have both states (review state and risk level). Simply put, it is another tool to help collaborate and communicate a document’s ability to be published or released.
Where do these new risk and review tags appear?
Almost anywhere you see a document in your portal you will see risk and review tags associated with them. Here are all the locations in your portal you can see Risk Module information:
Document Dashboard: This is the place where you can see a birds eye view of all documents across your portal. You can filter by visibility, review status, and risk level.
New request page: On our new request page, you can see all risk tags on the bottom of each document card. Clicking on a risk tag will open the document findings window. Clicking on the review tag allows you to swap between reviewed/needs review. You can also filter your documents here by visibility, risk level, and review status. Risk Module information is not available on the legacy request page.
RapidReview: Same as the new request page, all risk and review tags are attached to the bottom of each document card and operate the same way as the request page. Filtering by risk level and review status is not yet available in RapidReview.
Document page: All risk findings can be found directly on the document view and redact pages on the top left of the screen. On the far right you will find risk and review tags.
How often does the NextRequest Risk Module update?
After a document or set of documents are uploaded to a request, they will be marked with a "pending" tag until those documents have been scanned by the Risk Module. Depending on how many documents have been uploaded, the system should have scanned results after about 20 minutes after upload (if you are still on the same page, you may need to refresh or come back to that request to see the updated tags). Once a document is scanned, the pending tag will be replaced with the appropriate risk category (high, medium, low, unscannable).
These "pending" documents can still be filtered and viewed just like any other risk level. Pending documents are not able to be marked as reviewed until they have finished scanning.
What file types are supported?
NextRequest only scans certain file types. At this time, that means only file formats that contain machine readable text, such as OCRed pdfs, word files, email files, csv and excel files, and other text based documents. If a file cannot be scanned due to its filetype, those files will be appended with an “unscannable” tag and placed into the unscannable bucket. These files can still be reviewed manually using the review state feature, but will not receive a risk level.
Who can see Risk Module features?
Only internal agency staff can see Risk Module information. Only admins can access the document dashboard. Only publishers, dept. admins, and admins can mark review tags as reviewed. Requesters and the public never see any Risk Module information regardless if the document or request is made public or released.
Does the Risk Module restrict the ability to release sensitive documents?
No, the Risk Module will still allow documents marked in any severity category or review status to still be released like any other document without the need to mark it as reviewed or not have a risk level.
In the new request page, when changing the visibility of documents we provide a ‘risk report’ that gives a quick overview of the risk levels and review statuses of the documents you are about to release. While this does not restrict the user from releasing documents, it gives your agency more insight into specifically what is being released.