Access Keys:
Skip to content (Access Key - 0)

Information Storage Risk Reduction Landing Page

On this page:

Overview

Collecting, processing, sharing, and storing high risk information is a necessity for many functions including administrative and research purposes. With this come the risk of unintended exposure particularly through unauthorized access and data loss. There are, however, many ways to reduce your risks when handling medium and high risk data.

How To

Minimize the Collection of High Risk Information

  • Limit the storage and collection of data at this risk level to that which is necessary to accomplish the legitimate purpose for which it is collected. Collect only the information that is required to accomplish your goal.
  • For instance, if you need to collect contact information, requesting name, address, phone number and e-mail makes sense.  Asking for date of birth, salary information etc. is outside of the scope of what is needed to contact an individual by any means.  Additionally, if the intent is to establish only electronic communication, collecting name and e-mail are sufficient.
  • If you find that you do not need the information anymore, be sure to destroy it securely (see the Information Retention and Deletion Landing Page)

Anonymize High Risk Information

  • Anonymize information whenever possible and separate access to identified and de-identified data sets. For physical media store identified information in a separate locked file cabinet.
  • See the COUHES (Committee on the Use of Humans as Experimental Subjects) site for more information on de-identified information.

Install Loss Prevention Software

  • Install loss prevention software, such as Spirion, so you can track the high risk information you have and remove it if necessary. Spirion is an application that will search your device for certain types of high risk information. If any high risk information is found, you can use Spirion to shred, encrypt, or redact the file. For more information on Spirion and how it is used, please see the links below:

Credit Card Processing

If you are accepting credit cards for payments, be sure you are working with VPF's Merchant Services. Credit card information is subject to the Payment Card Industry Data Security Standard (PCI-DSS) and it's important to maintain compliance.

Individual Health Information

Information on individual's health may be subject to HIPAA (Heath Insurance Portability and Accountability Act) or other policies and regulations. If you are using this data for research, be sure to contact COUHES (Committee on the Use of Humans as Experimental Subjects).

Export Controls

Export controls are U.S. laws and regulations that regulate and restrict the release of critical technologies, information, and services to foreign nationals, within and outside of the United States, and foreign countries for reasons of foreign policy and national security. The three main regulations are:

  1. International Traffic in Arms Regulations (ITAR) from the U.S. Department of State (Directorate of Defense Trade Controls) which covers items and services related to military/defense applications, including spacecraft and satellites.
  2. Export Administration Regulations (EAR) from the U.S. Department of Commerce (Bureau of Industry and Security) which covers "dual use" civilian/military items and technology.
  3. Office of Foreign Assets Control (OFAC) from the U.S. Department of the Treasury, which covers restrictions due to foreign trade embargoes and economic sanctions

If you think you may have Export Controlled data or technology, please contact MIT's Export Control Officer for more information.

Have Questions or Still Need Help?

IS&T Contributions

Documentation and information provided by IS&T staff members


Last Modified:

January 03, 2020

Get Help

Request help
from the Help Desk
Report a security incident
to the Security Team
Labels:
infoprotect infoprotect Delete
merch-review merch-review Delete
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.
Feedback
This product/service is:
Easy to use
Average
Difficult to use

This article is:
Helpful
Inaccurate
Obsolete
Adaptavist Theme Builder (4.2.3) Powered by Atlassian Confluence 3.5.13, the Enterprise Wiki