Sensitive Information Identification and Remediation

The Sensitive Information Identification Remediation (SIIR) program is a campus security initiative to identify and resolve instances of sensitive university data stored inappropriately on campus or in cloud-based systems. The Office of Information Technology (OIT), in collaboration with university data stewards and other stakeholders, uses a combination of automated tools and other techniques to locate sensitive data:

  • Social security numbers
  • Credit card data covered under the Payment Card Industry Data Security Standard (PCI DSS)
  • Bank account information
  • Health information protected under the Health Insurance Portability and Accountability Act (HIPAA) of 1996
  • Sensitive research data
  • Other sensitive data (per the Tables of Data Elements on the Determining Sensitivity Levels for Shared Data page).

SIIR Program Benefits

  • Reduced instances of costly data breaches or exposure
  • Increased compliance with university policies and state, federal, and contractual requirements
  • Timely identification and correction of accidental insecure storage of sensitive data

Tools

Spirion

  • Formerly named Identity Finder, Spirion is the primary tool for use with SIIR.
  • Spirion is being used to scan and remediate sensitive information on university-owned machines and data stores.
  • The names Identity Finder and Spirion are used interchangeably on the company website and also at NC State.

Scanning Focus

  • PCI data (primary focus)
  • Credit card numbers
  • Social security numbers

Scanning Schedule

  • OIT Security and Compliance (OIT S&C) plans to run quarterly host scans at random intervals during a Tuesday through Thursday window.
  • Scans will run in the background with a slight impact on system performance.
  • OIT S&C will manage the results centrally, and if sensitive data is identified, OIT S&C contact the user or local IT support staff.
  • Scans are scheduled for the following dates in 2020:
    • February 11
    • May 12
    • August 11
    • November 10

Scanning Duration

  • The length of time to complete a scan depends on the amount of data being searched and the scanned computer’s performance.
  • Depending on the hard drive size and the power of the computer being scanned, the initial scan may take a significant amount of time.
  • Subsequent scans are generally faster and do not impact system performance.

Computer Performance during Scanning

If you experience significant sluggishness, please contact the NC State Help Desk at 919.515.4357 (HELP)

Spirion Deployment

OIT S&C requires that Spirion data security software be deployed by Monday, Nov. 27, 2017 on all university-owned devices that run Windows or macOS and are managed by WolfTech Active Directory/SCCM or Jamf Pro. This includes servers, desktops, and laptops.

For Managed Workstations

  • Managed workstations receive Spirion software during deployment service per established policies and schedules.
  • No action is required by the user to run the application.
  • If sensitive data is discovered, OIT S&C will notify and assist the user with data remediation.

For Non-managed Desktops and Laptops

To download Spirion for non-managed Windows and Macintosh desktops and laptops, visit Software Licensing.

Exception Requests

In the event a university-owned system requires an exemption from Spirion installation, the department must complete an IT Exception Request with proper justification for the exemption review.  Once OIT S&C reviews and approves the request, the system will be placed in the appropriate exception group.

Availability

  • Spirion is available in Jamf Pro, SCCM and Software Licensing.
  • NOTE: This is a new package. Please replace the current deployment with this new version.

Additional Information

Visit the Spirion website: Links to User Guides, Documentation, and Feedback

Help

Please report any issues or questions to the NC State Help Desk at 919.515.4357 (HELP)