Access Keys:
Skip to content (Access Key - 0)

Information, Application and Authorization Inventory Landing Page

This page is under construction
The information provided below may not be complete or fully tested. Take care when following draft instructions.
For more information on securing your data, see Information Protection @ MIT.

On this page:

Overview

Knowing where low, medium, and high risk information resides, either electronically or physically, is a key step in securing that information.  Building an inventory to capture where information is and who has access to it starts with creating and maintaining a protected information inventory (including classification level, information owner,  and users with access); creating and maintaining an inventory of systems (including device ownership, contact information, and network configuration); and maintaining a list of applications (including assigned risk classification level, data volume, and users with access).

How to begin

Step 1

Start with taking an asset inventory.  The inventory should account for data in electronic and hard copy format and as such should include two parts

- A list of all systems under your area of responsibility that transmit, process, and/or store protected data.  For each device identify whether it is wired/wireless, the system owner and contact information, operating system, hostname, ip address, type of device (mobile, laptop, server) and location (on-premise, cloud).   

Device Name/Host name IP Wired/Wireless Type of device Operating System Location (Building/Room) Contacts
mycomputer.mit.edu 18.x.x.x Wired Desktop Linux (Redhat...) X-00, 111  
yourcomputer 18.x.x.x Wireless Laptop MacOS
 
thisserver.mit.edu 18.x.x.x Wired Server Windows Server 2012    

- A list of all facilities/offices in which high risk information is produced or stored.

Building Office/Rm Information Location Occupants with access Level of Access
X-00 111 Locked File Cabinet Me Full
      Everyone Else,  Visitors (i.e. vendors, contractors, other third parties) None

Step 2

-For the systems expand the list to identify  all applications and services running on each system to include web servers, databases (SQL, Oracle), FTP servers, custom-built, etc. and identify if any are accessible publicly (i.e a web portal).

Device Name/Host name IP Wired/Wireless Type of device Operating System Location Applications
mycomputer.mit.edu 18.x.x.x Wireless Desktop Linux (Redhat...)   web server, sql database,
yourcomputer 18.x.x.x Wireless Laptop MacOS   ftp server

Step 3

For each system, tag the type of data that is transmitted, processed, and/or stored (i.e. employee date of birth, student transcripts, passport copies, driver's license, etc.).  Classify each data type (insert link for MIT classifications),  identify an information owner (which may be different from the system owner), and any users with access, their roles, and levels of access and permissions.  It is important to identify users with elevated privileges and ensure that list is accurate.

Device Name/Host name IP Wired/Wireless Type of device Operating System Location Applications Information Processed User Access
mycomputer.mit.edu 18.x.x.x Wireless Desktop Linux (Redhat...)   web server/web portal account credentials- username passwords  
            sql database student personal data Admin Account
                 
yourcomputer 18.x.x.x Wireless Laptop MacOS   ftp server   MIT User account

Step 4

Take steps to protect any high risk information by encrypting it in transit and at rest in addition to limiting access.  Ensure any public facing websites with connections to back end databases that contain protected data are secure. Ensure access is limited to those with authorization/need to know.   Also, ensure to store this inventory list itself on a secure system. 

How to Use

See Also

Have Questions or Still Need Help?

IS&T Contributions

Documentation and information provided by IS&T staff members


Last Modified:

February 15, 2019

Get Help

Request help
from the Help Desk
Report a security incident
to the Security Team
Labels:
infoprotect infoprotect Delete
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.
Feedback
This product/service is:
Easy to use
Average
Difficult to use

This article is:
Helpful
Inaccurate
Obsolete
Adaptavist Theme Builder (4.2.3) Powered by Atlassian Confluence 3.5.13, the Enterprise Wiki