Presentation is loading. Please wait.

Presentation is loading. Please wait.

Allison Dolan Program Director, Protecting PII Handling Sensitive Data - WISP and PIRN.

Published byPhyllis Berry Modified over 9 years ago

Similar presentations

Presentation on theme: "Allison Dolan Program Director, Protecting PII Handling Sensitive Data - WISP and PIRN."— Presentation transcript:

1 Allison Dolan Program Director, Protecting PII Handling Sensitive Data - WISP and PIRN

2 Context, including regulations What types of data are at risk What steps you must consider taking Presentation Overview

3 Key Take-Aways MA data protection regulations govern how certain sensitive data are handled MIT has a new written information security program (WISP) Everyone is responsible for compliance Know what data are in your systems Encourage “good hygiene” practices

4 MA Law & Regulations MA data breach law 93H – ◦ Definition of personal information ◦ Requirement to notify, if personal data compromised MA data destruction law 93I – ◦ Paper or electronic data must be destroyed so it can’t be read or reconstituted MA data protection regulations ◦ Requirement to have written information security program (WISP) ◦ WISP includes administrative, physical and technical safeguards

5 Other considerations FERPA – student info; currently no notification requirement HIPAA/HITECH – protected health information (PHI); includes notification requirement, if PHI held by a covered entity or business associate PCI-DSS – credit card information; some notification required FISMA – Research information MIT Policy 11.0 Privacy and disclosure of information 13.0 Information policies

6 Levels of Sensitivity Highly Sensitive ◦ “Personal Information Requiring Notification” (PIRN) e.g. SSN, credit card #, financial account #, driver’s license # ◦ Medical information ◦ Student information Medium Sensitivity ◦ Research, contract information ◦ Personnel data (e.g. salaries) Lower Sensitivity ◦ Directory information (unless individual has opted out)

7 How Data is Exposed Accidents – inadvertent exposure Reduce risk by Eliminating sensitive data from desktops, laptops, USB drives, departmental paper files, scanned images, etc. Using safe computing practices (strong passwords, using anti-virus, ignoring phishing emails). Attacks – deliberate intent to capture data Reduce risk of attacks from insiders and outsiders by: encrypting data logging access to sensitive data physically securing files, etc.

8 What is at Risk? Reputation of the Institute Donor contributions Cost of forensics, notification and consumer services Fines or penalties imposed by federal, state, or other agencies Inconvenience for affected individual(s) Your personal reputation

9 Minimize # of people with access to PIRN Minimize collection of PIRN Risk Management Framework BUSINESS PROCESSES ROLES ROLES POLICYPOLICY RESPONSIBILITIES Protect PIRN in our custody Securely destroy PIRN

10 Where Does PIRN Hide? Central and distributed files/systems Paper and electronic files - Operational files - Backup and archived data - Email Internal and 3rd party locations Protected and unprotected spaces, with employee and non-employee access Equipment queued up for redeployment Other office equipment – copiers, printers, PDAs etc.

11 Processes with PIRN Applications Student loans Ongoing services Student-oriented processes Financially-oriented processes Employee-oriented processes HR systems & files Payroll, paychecks, benefits Employee certifications Miscellaneous processes Independent contractors Reimbursements Miscellaneous payments Donors Legal Campus Police

12 Key Message “You can’t lose what you don’t have” Avoid having sensitive data locally, especially PIRN, (e.g. don’t keep email, Excel files, local databases, paper files) Corollaries: ◦ “If you can’t protect it, don’t collect it” ◦ “You can’t protect what you don’t know you have.”

13 What IT can do Ensure users know what it means to have strong passwords and how to protect them (including safe ways to record passwords) Ensure users have firewall, are applying patches, and running AV ◦ Set up desktops/laptops with ‘least privilege’ where possible ◦ Regularly check that patching/AV checks/backups are occurring as expected

14 What IT can do (con’t) Provide mechanisms for secure file access and file sharing; train users Provide secure delete for PC (e.g. PGP; Eraser); train users Install PGP Whole Disk Encryption on laptops Install Identity Finder; set up for regular scans Address access from home

15 What IT can do (con’t) Eliminate any shared accounts; consider monitoring access to sensitive files Have a process for sanitizing equipment (computers, copiers, etc.) Know what to do in the event of a possible compromise ◦ Remove computer from network (wired or wireless) ◦ Contact infoprotect@mit.edu

16 Additional Steps Understand who has what sensitive data, and for what purpose Ensure new hires & temps are oriented to your data policies & practices Review system authorizations at least annually; ensure access removed for employees, contractors and temp Include appropriate language in any 3rd party contracts

17 Questions/other followup? Feel free to contact: Allison Dolan adolan@mit.edu 617.252.1461adolan@mit.edu If a machine has been compromised, or you otherwise suspect a breach, immediately contact infoprotect@mit.edu infoprotect@mit.edu MIT’s WISP : http://web.mit.edu/infoprotect/wisp.html Security Standards: http://web.mit.edu/infoprotect/computer_security.ht ml If a machine has been compromised, or you otherwise suspect a breach, immediately contact infoprotect@mit.edu infoprotect@mit.edu MIT’s WISP : http://web.mit.edu/infoprotect/wisp.html Security Standards: http://web.mit.edu/infoprotect/computer_security.ht ml

Download ppt "Allison Dolan Program Director, Protecting PII Handling Sensitive Data - WISP and PIRN."

Similar presentations

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.

University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.
HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.

HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.
Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.

Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.
K eep I t C onfidential Prepared by: Security Architecture Collaboration Team.

K eep I t C onfidential Prepared by: Security Architecture Collaboration Team.
Gaucho Round-Up FAQ’s This presentation covers some of the FAQ’s about campus clean-up day. Presentation #4 2/3/2015 1.

Gaucho Round-Up FAQ’s This presentation covers some of the FAQ’s about campus clean-up day. Presentation #4 2/3/
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.

Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.
HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.

HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
Springfield Technical Community College Security Awareness Training.

Springfield Technical Community College Security Awareness Training.
A dialogue with FMUG: Sensitive Data & Filemaker MIT Policy and Data Classifications ** DRAFT ** Guidelines Feedback and Discussion Tim McGovern 2 June.

A dialogue with FMUG: Sensitive Data & Filemaker MIT Policy and Data Classifications ** DRAFT ** Guidelines Feedback and Discussion Tim McGovern 2 June.
Information Security Awareness April 13, 2003. Motivation Recent federal and state regulations and guidance Recent federal and state regulations and guidance.

Information Security Awareness April 13, Motivation Recent federal and state regulations and guidance Recent federal and state regulations and guidance.
Critical Data Management Indiana University HR Summit April 24, 2014.

Critical Data Management Indiana University HR Summit April 24, 2014.
REQUEST FOR PAYMENT OVERVIEW Spring - Summer 2010.

REQUEST FOR PAYMENT OVERVIEW Spring - Summer 2010.
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.

Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
The Privacy Office U.S. Department of Homeland Security Washington, DC 20528 t: 703-235-0780; f: 703-235-0442 Safeguarding.

The Privacy Office U.S. Department of Homeland Security Washington, DC t: ; f: Safeguarding.
Data Classification & Privacy Inventory Workshop

Data Classification & Privacy Inventory Workshop

Similar presentations

Ads by Google