Project SIR, the more commonly used name for the University’s Sensitive Information Remediation Project, can truly make a difference in reducing the exposure of sensitive information.
Information Technology Services knows that because the department—with a goal of determining best practices for the remediation project—surveyed peer institutions that conducted efforts similar to Project SIR, said Philip Long, an Academic IT Strategy and Project Consultant who has worked with UNC-Chapel Hill for the last 10 months on Project SIR. For the previous four decades, he worked in IT at Yale University, including his last 10 years at Yale as Chief Information Officer.
One school that ITS surveyed responded that prior to its remediation project, 80 percent of machine compromises resulted in exposure of sensitive information. After that campus scanned and remediated, only 20 percent of machine compromises resulted in exposure of sensitive information.
“That’s a big difference and that’s the kind of difference that UNC-Chapel Hill wants to achieve,” Long said.
Each individual must examine own machine
One of the biggest challenges that Carolina faces in reducing the risk of a sensitive information getting out, he said, is that only the person who owns the information can actually manage and decide how to deal with the information. “That means every single faculty member and staff member at UNC-Chapel Hill is going to end up having to look at their personal machines and their professional-use machines and make decisions about their data,” Long said.
Another important challenge at entrepreneurial, research-oriented universities such as UNC-Chapel Hill, he said, is that faculty members sometimes acquire machines that subsequently are not centrally cataloged. As a result, “we don’t really know how many machines there are on campus and exactly where they are. So it’s pretty hard to know that we get to them all.”
Although ITS doesn’t know the total number of work stations and servers that need to be scanned, Project SIR will enable the campus to build a better inventory and thus, further guard against exposure of sensitive information.
Progress reports boost motivation
As part of Project SIR, ITS provides summary reports to leadership at the unit level, at the school and division level and the campus-wide level.
“What we’ve discovered as we’ve worked with units to build these reports, is they’re self-motivating,” Long said. “The units themselves want to see their progress. They want to see that their entire department has participated in the program, so it’s essentially a self-reinforcing approach.”
Scanning is key
“We have a strong infrastructure base, but there’s nothing that substitutes for scanning. So scan, scan, scan, remediate, remediate, remediate,” he said. “We need to get the local units to be excited; we need to keep communicating with them. We need to help them see what they have accomplished. We have to honor the work that has been done so they have a sense of satisfaction from it.”
Be sure to check back with ITS News soon for a story and video with Matt Heinze, Project SIR team leader, who will discuss the collaboration involved in the Sensitive Information Remediation Project and the reasons he enjoys the effort.