DoIT Taking Steps to Protect Sensitive Data on our AD server

Over the weekend of May17-18, DoIT will be copying  files found on our Active Directory (AD) servers that have sensitive information in them and encrypting those files and storing them in a special location.  DoIT will be glad to work with anyone that requires access to these files for their work or scholarship, we ask you submit a help request ticket or email security@umbc.edu.  Before giving you these files back we will have one of our staff contact you and go over procedures for how to safely store and work with files that contain sensitive information in a way that protects the university and individuals. 

We want to thank everyone for your cooperation to date, as DoIT has been working with departments to remediate other places that have this information we have seen great cooperation. We very much appreciate the way the UMBC community has supported the efforts to better protect the information of our students, alumni, staff, and faculty. We know this is abrupt but felt that getting the data in a secure state was of the greatest importance. 

Below is some information to explain this further.

Why is DoIT removing these files from AD at this time?

Due to the data breach at UM-College Park, the Regents have instructed all institutions to take additional steps to identify and protect personal information, such as SSN, from being released. The Regents have asked that campuses undertake an inventory to find where this information is stored and take all appropriate measures to protect this information. Under Maryland law, file encryption is one of the recognized measures for protecting information. 

Why the sense of urgency?

Over the years, DoIT has consistently increased space for users and departments in our Active Directory environment.  The totality of the number of files makes the Active Directory (AD) server critical to protect. Because we feel most of these files were used in the past and most will not be needed immediately, we feel acting quickly is the best course of action to ensure we are protecting the university and each others information.

What kind of files are being scanned?

The software that we have scans word, excel, pdf, and images looking for SSN's. Most of the files it will find are old reports dating back many years ago when SSN was regularly used. In many cases, the files may contain on a few SSN's in them.

How can I find out what files were taken from my account?

Please submit a ticket, http://my.umbc.edu/help, and we will send you back the list of files associated with your names. If you don't notice any files missing it is likely the files we protected were no longer needed.

How do I get access to my files with SSNs in them?

You should submit a ticket through http://my.umbc.edu/help, we will have someone work with you go over the best way to do this. If you have a time critical issue, please note that in the ticket and we will expedite this.

What will I do if I need to do if I regularly deal with files that have SSNs in them as part of my job?

There are options available (encrypted hard drives, UMBCs Box.com service) for securely working with these kinds of files. DoIT will sit down with your staff and understand what your needs are and come up with a solution that meets your units needs but at the same time ensures you are protecting the information and the university.

Will you continue to scan for sensitive files in my account?

Yes. We intend to run the process on a regularly basis and scan, at least monthly, all files on Active Directory and remove and encrypt files with sensitive information in them..

Will DoIT delete these files at some point in the future?

There are no immediate plans to do this right now. Our plan is to work with units over the next fiscal year to review the files and discuss the best ways to safely handle sensitive data. As part of that process we will ask departments if there are any files that can be safely deleted.


Tags:

Posted: May 16, 2014, 9:50 AM