handling sensitive data wisp and pirn n.
Skip this Video
Loading SlideShow in 5 Seconds..
Handling Sensitive Data - WISP and PIRN PowerPoint Presentation
Download Presentation
Handling Sensitive Data - WISP and PIRN

Loading in 2 Seconds...

play fullscreen
1 / 17

Handling Sensitive Data - WISP and PIRN - PowerPoint PPT Presentation

  • Uploaded on

Handling Sensitive Data - WISP and PIRN. Allison Dolan Program Director, Protecting PII. Context, including regulations What types of data are at risk What steps you must consider taking. Presentation Overview. Key Take-Aways.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Handling Sensitive Data - WISP and PIRN' - venus

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
handling sensitive data wisp and pirn

Handling Sensitive Data -WISP and PIRN

Allison Dolan

Program Director, Protecting PII

presentation overview
Context, including regulations

What types of data are at risk

What steps you must consider taking

Presentation Overview
key take aways
Key Take-Aways

MA data protection regulations govern how certain sensitive data are handled

MIT has a new written information security program (WISP)

Everyone is responsible for compliance

Know what data are in your systems

Encourage “good hygiene” practices

ma law regulations
MA Law & Regulations

MA data breach law 93H –

Definition of personal information

Requirement to notify, if personal data compromised

MA data destruction law 93I –

Paper or electronic data must be destroyed so it can’t be read or reconstituted

MA data protection regulations

Requirement to have written information security program (WISP)

WISP includes administrative, physical and technical safeguards

other considerations

Other considerations

FERPA – student info; currently no notification requirement

HIPAA/HITECH – protected health information (PHI); includes notification requirement, if PHI held by a covered entity or business associate

PCI-DSS – credit card information; some notification required

FISMA – Research information

MIT Policy

11.0 Privacy and disclosure of information

13.0 Information policies

levels of sensitivity
Levels of Sensitivity

Highly Sensitive

“Personal Information Requiring Notification” (PIRN) e.g. SSN, credit card #, financial account #, driver’s license #

Medical information

Student information

Medium Sensitivity

Research, contract information

Personnel data (e.g. salaries)

Lower Sensitivity

Directory information (unless individual has opted out)

how data is exposed
How Data is Exposed

Accidents – inadvertent exposure

Reduce risk by

•Eliminating sensitive data from desktops, laptops, USB drives, departmental paper files, scanned images, etc.

•Using safe computing practices (strong passwords, using anti-virus, ignoring phishing emails).

Attacks – deliberate intent to capture data

Reduce risk of attacks from insiders and outsiders by:

•encrypting data

•logging access to sensitive data

•physically securing files, etc.

what is at risk
What is at Risk?
  • Reputation of the Institute
  • Donor contributions
  • Cost of forensics, notification and consumer services
  • Fines or penalties imposed by federal, state, or other agencies
  • Inconvenience for affected individual(s)
  • Your personal reputation
risk management framework
Risk Management Framework




Protect PIRN

in our custody

Securely destroy



Minimize collection of


Minimize # of people

with access to


where does pirn hide
Where Does PIRN Hide?

Central and distributed files/systems

Paper and electronic files

- Operational files

- Backup and archived data

- Email

Internal and 3rd party locations

Protected and unprotected spaces, with employee and non-employee access

Equipment queued up for redeployment

Other office equipment – copiers, printers, PDAs etc.


Processes with PIRN



Employee-oriented processes


•Student loans

•Ongoing services

•HR systems & files

•Payroll, paychecks, benefits

•Employee certifications

Miscellaneous processes

Financially-oriented processes



•Campus Police

•Independent contractors


•Miscellaneous payments

key message
Key Message

“You can’t lose what you don’t have”

Avoid having sensitive data locally, especially PIRN, (e.g. don’t keep email, Excel files, local databases, paper files)


“If you can’t protect it, don’t collect it”

“You can’t protect what you don’t know you have.”

what it can do
What IT can do

Ensure users know what it means to have strong passwords and how to protect them (including safe ways to record passwords)

Ensure users have firewall, are applying patches, and running AV

Set up desktops/laptops with ‘least privilege’ where possible

Regularly check that patching/AV checks/backups are occurring as expected

what it can do con t
What IT can do (con’t)

Provide mechanisms for secure file access and file sharing; train users

Provide secure delete for PC (e.g. PGP; Eraser); train users

Install PGP Whole Disk Encryption on laptops

Install Identity Finder; set up for regular scans

Address access from home

what it can do con t1
What IT can do (con’t)

Eliminate any shared accounts; consider monitoring access to sensitive files

Have a process for sanitizing equipment (computers, copiers, etc.)

Know what to do in the event of a possible compromise

Remove computer from network (wired or wireless)

Contact infoprotect@mit.edu

additional steps
Additional Steps

Understand who has what sensitive data, and for what purpose

Ensure new hires & temps are oriented to your data policies & practices

Review system authorizations at least annually; ensure access removed for employees, contractors and temp

Include appropriate language in any 3rd party contracts


Questions/other followup?

Feel free to contact:

Allison Dolan adolan@mit.edu617.252.1461

If a machine has been compromised, or you otherwise suspect a breach, immediately contact infoprotect@mit.edu



Security Standards: