SIR

The Sensitive Information Remediation Project, better known as Project SIR, is a campus-wide initiative with the purpose to scan, find, delete and/or secure sensitive information.

ITS is working with the entire community campus-wide to provide the tools, procedures and reporting necessary to help data owners discover sensitive information and to provide options to secure such information.

 

In a 2011 University-wide assessment of risk, sensitive University-owned information was found to be “nearly ubiquitous.”

  • Sensitive information (SI) is sometimes stored on end user computers that are not encrypted and secured and central shared storage not registered with the System Administration Initiative (SAI)
  • Copies of the same sensitive file are often found on multiple systems
  • Sensitive information tends to migrate with users when they are assigned a new computer or their roles change within the organization
  • Older, sensitive information is seldom securely deleted after the business need for the information expires
Seek and identify sensitive, University-owned information using Identity Finder

  • ITS has licensed a file scanning application, Identity Finder, for all faculty, staff and any students who may have sensitive information (SI)
  • Scan for: Social Security numbers, passport numbers and credit card numbers
  • Upon departmental leader request, the ITS technical team will help a department organize a scan for additional identifiers

Remediate sensitive information

  • Delete the document containing sensitive information if it is not needed (using Identity Finder)
  • If the document is needed, remove only sensitive fields (e.g., replace 123-45-6789 with xxx-xx-xxxx) (using Identity Finder)
  • If retention of the sensitive information is required, store the SI safely on professionally managed, central file storage that meets the requirements of the System Administration Initiative (SAI). When essential for intensive local use, the SI may be stored on workstations or laptops that meet the required, enhanced security standards of the Information Security Controls Standard (https://its.unc.edu/about-us/how-we-operate/)

Manage sensitive information into the future

  • Appropriately classify information
  • Store safely on SAI-approved servers, or on a laptop or desktop secured as described above
  • Review risk regularly
  • Remediate sensitive information faculty and staff computers, even those that are encrypted, prioritizing those that are not encrypted for the first phase of the project
  • Remediate sensitive information on select student computers (i.e., students who likely have sensitive, University-owned information on their computers due to the nature of their studies or employment)
  • University-owned shared and individual storage running MS Windows or Mac OS X, or searchable from an Identity Finder client installed on those operating systems

For computers within the scope of this project, there are two primary tasks:

  • Perform the scan
  • Review the resulting match list and resolve flagged entries
    • Dismiss false positives
    • Remediate true positives through file deletion, removing only the sensitive information from the file, or storing the file with SI on a SAI-approved server

Time spent scanning and remediating the information will vary based on the amount of data and the amount of sensitive information identified during the scan. For example, a scan can take from 1 hour to more than 8 hours. Remediation of the match list may take a few minutes or a few hours.

The ITS Information Security Office began working with Project SIR early adopter participants in March 2014. ITS completed initial scans and remediation of ITS’s own desktops and laptops in June of 2014.

Other campus units begin scanning in July of 2014. Units are encouraged to scan high-risk areas first. The ITS Information Security Office can assist in identifying potential high-risk areas.

ITS will provide the following support:

  • Tools to scan and identify sensitive data
  • Documentation and Frequently Asked Questions (FAQs)
  • Lessons learned from ITS’s experience
  • Additional consultation and guidance as requested

Units will manage their own scanning timeline and schedule. End user laptops and desktops that are not encrypted, should be scanned and remediated first.

ITS regularly scans the UNC-CH web space (www.unc.edu).

Project SIR: Remediating Your Results

Project SIR - Frequently Asked Questions