Allison Dolan Program Director, Protecting PII

Handling Sensitive Data -WISP and PIRN

Context, including regulations

What types of data are at risk

What steps you must consider taking

Presentation Overview

Key Take-Aways

MA data protection regulations govern how certain sensitive data are handled

MIT has a new written information security program (WISP)

Everyone is responsible for compliance• Know what data are in your systems• Encourage “good hygiene” practices

MA Law & Regulations

MA data breach law 93H – ◦Definition of personal information◦Requirement to notify, if personal data

compromisedMA data destruction law 93I – ◦Paper or electronic data must be destroyed so it

can’t be read or reconstitutedMA data protection regulations◦Requirement to have written information security

program (WISP)◦WISP includes administrative, physical and

technical safeguards

Other considerations

FERPA – student info; currently no notification requirement

HIPAA/HITECH – protected health information (PHI); includes notification requirement, if PHI held by a covered entity or business associate

PCI-DSS – credit card information; some notification required

FISMA – Research information

MIT Policy11.0 Privacy and disclosure of information

13.0 Information policies

Levels of SensitivityHighly Sensitive◦ “Personal Information Requiring Notification” (PIRN)

e.g. SSN, credit card #, financial account #, driver’s license #

◦Medical information◦Student information

Medium Sensitivity◦Research, contract information◦Personnel data (e.g. salaries)

Lower Sensitivity◦Directory information (unless individual has opted

out)

How Data is Exposed

• Accidents – inadvertent exposureReduce risk by •Eliminating sensitive data from desktops, laptops, USB drives, departmental paper files, scanned images, etc. •Using safe computing practices (strong passwords, using anti-virus, ignoring phishing emails).

• Attacks – deliberate intent to capture dataReduce risk of attacks from insiders and outsiders by: •encrypting data •logging access to sensitive data •physically securing files, etc.

What is at Risk?

Reputation of the InstituteDonor contributionsCost of forensics, notification and consumer

servicesFines or penalties imposed by federal,

state, or other agenciesInconvenience for affected individual(s)Your personal reputation

Minimize # of people with access to

PIRN

Minimize collection of PIRN

Risk Management Framework

BUSINESS PROCESSES

ROLES

POLICY

RESPONSIBILITIES

Protect PIRN in our custody

Securely destroy PIRN

Where Does PIRN Hide?Central and distributed files/systemsPaper and electronic files

- Operational files - Backup and archived data - Email Internal and 3rd party locationsProtected and unprotected spaces, with

employee and non-employee accessEquipment queued up for redeploymentOther office equipment – copiers, printers,

PDAs etc.

Processes with PIRN

•Applications•Student loans•Ongoing services

Student-oriented processes

Financially-oriented processes

Employee-oriented processes•HR systems & files •Payroll, paychecks, benefits•Employee certifications

Miscellaneous processes

•Independent contractors•Reimbursements•Miscellaneous payments

•Donors•Legal •Campus Police

Key Message“You can’t lose what you don’t have”Avoid having sensitive data locally, especially PIRN, (e.g. don’t keep email, Excel files, local databases, paper files)

Corollaries:◦“If you can’t protect it, don’t collect it”

◦“You can’t protect what you don’t know you have.”

What IT can do

Ensure users know what it means to have strong passwords and how to protect them (including safe ways to record passwords)

Ensure users have firewall, are applying patches, and running AV◦Set up desktops/laptops with ‘least

privilege’ where possible◦Regularly check that patching/AV

checks/backups are occurring as expected

What IT can do (con’t)

Provide mechanisms for secure file access and file sharing; train users

Provide secure delete for PC (e.g. PGP; Eraser); train users

Install PGP Whole Disk Encryption on laptops

Install Identity Finder; set up for regular scans

Address access from home

What IT can do (con’t)

Eliminate any shared accounts; consider monitoring access to sensitive files

Have a process for sanitizing equipment (computers, copiers, etc.)

Know what to do in the event of a possible compromise◦Remove computer from network (wired or

wireless)◦Contact infoprotect@mit.edu

Additional Steps

Understand who has what sensitive data, and for what purpose

Ensure new hires & temps are oriented to your data policies & practices

Review system authorizations at least annually; ensure access removed for employees, contractors and temp

Include appropriate language in any 3rd party contracts

Questions/other followup? Feel free to contact:

Allison Dolan adolan@mit.edu 617.252.1461

If a machine has been compromised, or you otherwise suspect a breach, immediately contact infoprotect@mit.edu

MIT’s WISP :

http://web.mit.edu/infoprotect/wisp.html

Security Standards:

http://web.mit.edu/infoprotect/computer_security.html