Why are we doing the Sensitive Information Remediation (SIR) Project?
In a 2011 University-wide assessment of risk, sensitive information was found to be “nearly ubiquitous”
- Sensitive information (SI) is often stored on desktop computers and central shared storage
- Copies of the same sensitive file are often found on multiple systems
- Sensitive information tends to migrate with users when they are assigned a new computer or their roles change within the organization
- Older, sensitive information is seldom securely deleted
What are the project's goals?
- Seek and identify sensitive, University-owned information using Identity Finder
- ITS has licensed a file scanning application, Identity Finder, for all faculty, staff and any students who may have SI
- Phase I will scan for: Social Security numbers, passport numbers and credit card numbers.
- Later phases may include scanning for additional identifiers. Upon departmental leader request, the ITS technical team will help a department organize a scan for additional identifiers.
- Remediate sensitive information
- Delete the document containing sensitive information if it is not needed (using Identity Finder)
- If the document is needed, remove only sensitive fields (e.g., replace 123-45-6789 with xxx-xx-xxxx) (using Identity Finder)
- If retention of the sensitive information is required, store the SI safely on professionally managed, central file storage that meets the requirements of the System Administration Initiative (SAI). When essential for intensive local use, the SI may be stored on workstations or laptops that meet the required, enhanced security standards (please see page 18 of the Information Security Policy).
- Manage sensitive information into the future
- Appropriately classify information regarding whether it is sensitive
- Store safely on SAI-approved file server
- Review regularly according to retention schedule approved by appropriate data steward
What is the scope of the project?
- Remediate sensitive information on all faculty and staff computers, even those that are encrypted
- Encryption protects sensitive information on equipment that is lost or stolen while shut down. When an encrypted computer is running, the files are at risk of exposure from intrusions.
- Remediate sensitive information on select student computers (i.e., students who likely have sensitive, University-owned information on their computers)
- University-owned shared and individual storage running MS Windows or Mac OS X, or searchable from an Identity Finder client installed on those operation systems
- University-owned servers running Microsoft Windows
- For computers, servers or storage space within the scope of this project, there are two primary tasks:
- Perform the scan
- Review the resulting match list and resolve flagged entries
- Dismiss false positives
- Remediate true positives through file deletion, removing only the sensitive information from the file, or storing the file with SI on a SAI- approved file server
- Time spent scanning and remediating the information will vary based on the amount of data and the amount of sensitive information identified during the scan. For example, a scan can take from 1 hour to more than 8 hours. Remediation of the match list may take a few minutes or a few hours.
What is the proposed timeline for the activity?
- ITS will complete scans and remediation of ITS’s own desktops, laptops, storage.unc.edu space and AFS space by June 1, 2014.
- The ITS Information Security Office began working with Project SIR early adopter participants in March 2014. Those departments include: Finance and Administration, Human Resources, University Development, School of Social Work, and selected departments in the College of Arts and Sciences.
- Other campus units may begin scanning in Spring 2014. Units are encouraged to scan high-risk areas first. The ITS Information Security Office can assist in identifying potential high-risk areas.
- ITS will provide the following support:
- Tools to scan and identify sensitive data
- Documentation and Frequently Asked Questions (FAQs)
- Project plans and lessons learned from ITS’s experience
- Additional consultation and guidance as requested
- Units will manage their own scanning timeline and schedule
- Data stewards will be asked to attest to remediation of data under their oversight. (Data stewards are individuals responsible for the oversight of information in their areas.)
- Options include:
- Attestation by individuals for information under their control (e.g., their assigned computers)
- Attestation by unit leads (chairs, directors, deans) for all the unit’s data
- A hybrid approach based on specific unit organizational structures
- Options include:
- Project SIR currently has a goal of remediating 90% of University-owned laptops and desktops, as well as departmental, individual, and shared file storage space (e.g. storage.unc.edu) by April 2015.