OIT’s Cleanup secures private data

Lost laptops and poorly secured desktop machines can lead to costly data leaks. The Institute is taking steps towards preventing such outbreaks by locking down or eliminating sensitive private data stored on computer systems all over campus.

The initiative is called the Data Cleanup Campaign and has been underway since Jan. 22, lasting until Feb. 8. It represents a combined effort by OIT and a variety of other campus departments to help individual units minimize the risk of exposing sensitive data and to promote a culture of responsible data management practices.

“It’s all of our jobs, as faculty and staff, to protect student information,” said Herbert Baines, OIT director of Information Security.

“The effort is multifactored: it’s to go back and delete old information when we don’t need it, and to reduce the number of data repositories that we have here on campus,” he said.

The goal is to maximize the amount of data that is stored on secure file servers and eliminate the habit of saving such files on more easily accessible machines where they are liable to be accessed by unauthorized parties.

“[Many departments] have set their employees’ desktops up so that as they’re saving documents, it’s automatically saved to the file server and it never hits the desktop at all,” said Victoria Anderson, OIT assistant director of Information Security.

Another large part of this effort is to locate archaic information saved on machines which are no longer being kept track of by anyone. It is particularly important to locate and secure old data files because Tech student and employee records included social security numbers for identifiers prior to 2003.

While OIT is coordinating the technical aspects and providing assistance as needed, each department is cleaning its own machines and must report back to OIT if they are continuing to keep data on their machines so that they can apply PGP encryption to it.

Baines and Anderson said that this initiative represents the logical next step in the process of securing campus computer systems after having set up firewalls, anti-spyware, anti-virus and anti-spam measures.

“We have the physical controls in place and the network controls in place; now we’re attacking the business processes that lead to data being lost,” Baines said.

The search for sensitive data on these machines will be carried out via two methods. The first is to employ a program called Spider developed by the Cornell University IT Security Office.

The open-source application scours hard drives for anything that looks like private information and reports back to the user where the files containing this information are located on the drive.

The other method is much simpler: just manually checking all the obvious places where users save personal files on machines, such as the “My Documents” folder and any folders that users may have created on the C-drive.

“Sometimes we here at Georgia Tech rely a little too much on technology when common sense can prevail,” Baines said.