|This page is under construction|
The information provided below may not be complete or fully tested. Take care when following draft instructions.
|For more information on securing your data, see Information Protection @ MIT.|
On this page:
Knowing where low, medium, and high risk information resides, either electronically or physically, is a key step in securing that information. Building an inventory to capture where information is and who has access to it starts with creating and maintaining a protected information inventory (including classification level, information owner, and users with access); creating and maintaining an inventory of systems (including device ownership, contact information, and network configuration); and maintaining a list of applications (including assigned risk classification level, data volume, and users with access).
Start with taking an asset inventory. The inventory should account for data in electronic and hard copy format and as such should include two parts
- A list of all systems under your area of responsibility that transmit, process, and/or store protected data. For each device identify whether it is wired/wireless, the system owner and contact information, operating system, hostname, ip address, type of device (mobile, laptop, server) and location (on-premise, cloud).
|Device Name/Host name||IP||Wired/Wireless||Type of device||Operating System||Location (Building/Room)||Contacts|
|mycomputer.mit.edu||18.x.x.x||Wired||Desktop||Linux (Redhat...)||X-00, 111|
|thisserver.mit.edu||18.x.x.x||Wired||Server||Windows Server 2012|
- A list of all facilities/offices in which high risk information is produced or stored.
|Building||Office/Rm||Information Location||Occupants with access||Level of Access|
|X-00||111||Locked File Cabinet||Me||Full|
|Everyone Else, Visitors (i.e. vendors, contractors, other third parties)||None|
-For the systems expand the list to identify all applications and services running on each system to include web servers, databases (SQL, Oracle), FTP servers, custom-built, etc. and identify if any are accessible publicly (i.e a web portal).
|Device Name/Host name||IP||Wired/Wireless||Type of device||Operating System||Location||Applications|
|mycomputer.mit.edu||18.x.x.x||Wireless||Desktop||Linux (Redhat...)||web server, sql database,|
For each system, tag the type of data that is transmitted, processed, and/or stored (i.e. employee date of birth, student transcripts, passport copies, driver's license, etc.). Classify each data type (insert link for MIT classifications), identify an information owner (which may be different from the system owner), and any users with access, their roles, and levels of access and permissions. It is important to identify users with elevated privileges and ensure that list is accurate.
|Device Name/Host name||IP||Wired/Wireless||Type of device||Operating System||Location||Applications||Information Processed||User Access|
|mycomputer.mit.edu||18.x.x.x||Wireless||Desktop||Linux (Redhat...)||web server/web portal||account credentials- username passwords|
|sql database||student personal data||Admin Account|
|yourcomputer||18.x.x.x||Wireless||Laptop||MacOS||ftp server||MIT User account|
Take steps to protect any high risk information by encrypting it in transit and at rest in addition to limiting access. Ensure any public facing websites with connections to back end databases that contain protected data are secure. Ensure access is limited to those with authorization/need to know. Also, ensure to store this inventory list itself on a secure system.
- Center for Internet Security (CIS) on Inventory and Control of Hardware Assets
- Center for Internet Security (CIS) on Inventory and Control of Software Assets
- National Institute of Standards and Technology (NIST) Publication on Specification for Asset Identification