1 / 17

Handling Sensitive Data - WISP and PIRN

Handling Sensitive Data - WISP and PIRN. Allison Dolan Program Director, Protecting PII. Context, including regulations What types of data are at risk What steps you must consider taking. Presentation Overview. Key Take-Aways.

venus
Download Presentation

Handling Sensitive Data - WISP and PIRN

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Handling Sensitive Data -WISP and PIRN Allison Dolan Program Director, Protecting PII

  2. Context, including regulations What types of data are at risk What steps you must consider taking Presentation Overview

  3. Key Take-Aways MA data protection regulations govern how certain sensitive data are handled MIT has a new written information security program (WISP) Everyone is responsible for compliance Know what data are in your systems Encourage “good hygiene” practices

  4. MA Law & Regulations MA data breach law 93H – Definition of personal information Requirement to notify, if personal data compromised MA data destruction law 93I – Paper or electronic data must be destroyed so it can’t be read or reconstituted MA data protection regulations Requirement to have written information security program (WISP) WISP includes administrative, physical and technical safeguards

  5. Other considerations FERPA – student info; currently no notification requirement HIPAA/HITECH – protected health information (PHI); includes notification requirement, if PHI held by a covered entity or business associate PCI-DSS – credit card information; some notification required FISMA – Research information MIT Policy 11.0 Privacy and disclosure of information 13.0 Information policies

  6. Levels of Sensitivity Highly Sensitive “Personal Information Requiring Notification” (PIRN) e.g. SSN, credit card #, financial account #, driver’s license # Medical information Student information Medium Sensitivity Research, contract information Personnel data (e.g. salaries) Lower Sensitivity Directory information (unless individual has opted out)

  7. How Data is Exposed Accidents – inadvertent exposure Reduce risk by •Eliminating sensitive data from desktops, laptops, USB drives, departmental paper files, scanned images, etc. •Using safe computing practices (strong passwords, using anti-virus, ignoring phishing emails). Attacks – deliberate intent to capture data Reduce risk of attacks from insiders and outsiders by: •encrypting data •logging access to sensitive data •physically securing files, etc.

  8. What is at Risk? • Reputation of the Institute • Donor contributions • Cost of forensics, notification and consumer services • Fines or penalties imposed by federal, state, or other agencies • Inconvenience for affected individual(s) • Your personal reputation

  9. Risk Management Framework BUSINESS PROCESSES POLICY ROLES Protect PIRN in our custody Securely destroy PIRN RESPONSIBILITIES Minimize collection of PIRN Minimize # of people with access to PIRN

  10. Where Does PIRN Hide? Central and distributed files/systems Paper and electronic files - Operational files - Backup and archived data - Email Internal and 3rd party locations Protected and unprotected spaces, with employee and non-employee access Equipment queued up for redeployment Other office equipment – copiers, printers, PDAs etc.

  11. Processes with PIRN Student-oriented processes Employee-oriented processes •Applications •Student loans •Ongoing services •HR systems & files •Payroll, paychecks, benefits •Employee certifications Miscellaneous processes Financially-oriented processes •Donors •Legal •Campus Police •Independent contractors •Reimbursements •Miscellaneous payments

  12. Key Message “You can’t lose what you don’t have” Avoid having sensitive data locally, especially PIRN, (e.g. don’t keep email, Excel files, local databases, paper files) Corollaries: “If you can’t protect it, don’t collect it” “You can’t protect what you don’t know you have.”

  13. What IT can do Ensure users know what it means to have strong passwords and how to protect them (including safe ways to record passwords) Ensure users have firewall, are applying patches, and running AV Set up desktops/laptops with ‘least privilege’ where possible Regularly check that patching/AV checks/backups are occurring as expected

  14. What IT can do (con’t) Provide mechanisms for secure file access and file sharing; train users Provide secure delete for PC (e.g. PGP; Eraser); train users Install PGP Whole Disk Encryption on laptops Install Identity Finder; set up for regular scans Address access from home

  15. What IT can do (con’t) Eliminate any shared accounts; consider monitoring access to sensitive files Have a process for sanitizing equipment (computers, copiers, etc.) Know what to do in the event of a possible compromise Remove computer from network (wired or wireless) Contact infoprotect@mit.edu

  16. Additional Steps Understand who has what sensitive data, and for what purpose Ensure new hires & temps are oriented to your data policies & practices Review system authorizations at least annually; ensure access removed for employees, contractors and temp Include appropriate language in any 3rd party contracts

  17. Questions/other followup? Feel free to contact: Allison Dolan adolan@mit.edu617.252.1461 If a machine has been compromised, or you otherwise suspect a breach, immediately contact infoprotect@mit.edu MIT’s WISP : http://web.mit.edu/infoprotect/wisp.html Security Standards: http://web.mit.edu/infoprotect/computer_security.html

More Related