Allison Dolan Program Director, Protecting PII Handling Sensitive Data - WISP and PIRN.
-
Upload
phyllis-berry -
Category
Documents
-
view
220 -
download
0
Transcript of Allison Dolan Program Director, Protecting PII Handling Sensitive Data - WISP and PIRN.
Context, including regulations
What types of data are at risk
What steps you must consider taking
Presentation Overview
Key Take-Aways
MA data protection regulations govern how certain sensitive data are handled
MIT has a new written information security program (WISP)
Everyone is responsible for compliance• Know what data are in your systems• Encourage “good hygiene” practices
MA Law & Regulations
MA data breach law 93H – ◦Definition of personal information◦Requirement to notify, if personal data
compromisedMA data destruction law 93I – ◦Paper or electronic data must be destroyed so it
can’t be read or reconstitutedMA data protection regulations◦Requirement to have written information security
program (WISP)◦WISP includes administrative, physical and
technical safeguards
Other considerations
FERPA – student info; currently no notification requirement
HIPAA/HITECH – protected health information (PHI); includes notification requirement, if PHI held by a covered entity or business associate
PCI-DSS – credit card information; some notification required
FISMA – Research information
MIT Policy11.0 Privacy and disclosure of information
13.0 Information policies
Levels of SensitivityHighly Sensitive◦ “Personal Information Requiring Notification” (PIRN)
e.g. SSN, credit card #, financial account #, driver’s license #
◦Medical information◦Student information
Medium Sensitivity◦Research, contract information◦Personnel data (e.g. salaries)
Lower Sensitivity◦Directory information (unless individual has opted
out)
How Data is Exposed
• Accidents – inadvertent exposureReduce risk by •Eliminating sensitive data from desktops, laptops, USB drives, departmental paper files, scanned images, etc. •Using safe computing practices (strong passwords, using anti-virus, ignoring phishing emails).
• Attacks – deliberate intent to capture dataReduce risk of attacks from insiders and outsiders by: •encrypting data •logging access to sensitive data •physically securing files, etc.
What is at Risk?
Reputation of the InstituteDonor contributionsCost of forensics, notification and consumer
servicesFines or penalties imposed by federal,
state, or other agenciesInconvenience for affected individual(s)Your personal reputation
Minimize # of people with access to
PIRN
Minimize collection of PIRN
Risk Management Framework
BUSINESS PROCESSES
ROLES
POLICY
RESPONSIBILITIES
Protect PIRN in our custody
Securely destroy PIRN
Where Does PIRN Hide?Central and distributed files/systemsPaper and electronic files
- Operational files - Backup and archived data - Email Internal and 3rd party locationsProtected and unprotected spaces, with
employee and non-employee accessEquipment queued up for redeploymentOther office equipment – copiers, printers,
PDAs etc.
Processes with PIRN
•Applications•Student loans•Ongoing services
Student-oriented processes
Financially-oriented processes
Employee-oriented processes•HR systems & files •Payroll, paychecks, benefits•Employee certifications
Miscellaneous processes
•Independent contractors•Reimbursements•Miscellaneous payments
•Donors•Legal •Campus Police
Key Message“You can’t lose what you don’t have”Avoid having sensitive data locally, especially PIRN, (e.g. don’t keep email, Excel files, local databases, paper files)
Corollaries:◦“If you can’t protect it, don’t collect it”
◦“You can’t protect what you don’t know you have.”
What IT can do
Ensure users know what it means to have strong passwords and how to protect them (including safe ways to record passwords)
Ensure users have firewall, are applying patches, and running AV◦Set up desktops/laptops with ‘least
privilege’ where possible◦Regularly check that patching/AV
checks/backups are occurring as expected
What IT can do (con’t)
Provide mechanisms for secure file access and file sharing; train users
Provide secure delete for PC (e.g. PGP; Eraser); train users
Install PGP Whole Disk Encryption on laptops
Install Identity Finder; set up for regular scans
Address access from home
What IT can do (con’t)
Eliminate any shared accounts; consider monitoring access to sensitive files
Have a process for sanitizing equipment (computers, copiers, etc.)
Know what to do in the event of a possible compromise◦Remove computer from network (wired or
wireless)◦Contact [email protected]
Additional Steps
Understand who has what sensitive data, and for what purpose
Ensure new hires & temps are oriented to your data policies & practices
Review system authorizations at least annually; ensure access removed for employees, contractors and temp
Include appropriate language in any 3rd party contracts
Questions/other followup? Feel free to contact:
Allison Dolan [email protected] 617.252.1461
If a machine has been compromised, or you otherwise suspect a breach, immediately contact [email protected]
MIT’s WISP :
http://web.mit.edu/infoprotect/wisp.html
Security Standards:
http://web.mit.edu/infoprotect/computer_security.html