Information Storage Risk Reduction Landing Page
On this page:
Overview
Collecting, processing, sharing, and storing high risk information is a necessity for many functions including administrative and research purposes. With this come the risk of unintended exposure particularly through unauthorized access and data loss. There are, however, many ways to reduce your risks when handling medium and high risk data.
- For more information on how to classify and secure your data, see Information Protection @ MIT.
How To
Minimize the Collection of High Risk Information
- Limit the storage and collection of data at this risk level to that which is necessary to accomplish the legitimate purpose for which it is collected. Collect only the information that is required to accomplish your goal.
- For instance, if you need to collect contact information, requesting name, address, phone number and e-mail makes sense. Asking for date of birth, salary information etc. is outside of the scope of what is needed to contact an individual by any means. Additionally, if the intent is to establish only electronic communication, collecting name and e-mail are sufficient.
- If you find that you do not need the information anymore, be sure to destroy it securely (see the Information Retention and Deletion Landing Page)
Anonymize High Risk Information
- Anonymize information whenever possible and separate access to identified and de-identified data sets. For physical media store identified information in a separate locked file cabinet.
- See the COUHES (Committee on the Use of Humans as Experimental Subjects) site for more information on de-identified information.
Install Loss Prevention Software
- Install loss prevention software, such as Spirion, so you can track the high risk information you have and remove it if necessary. Spirion is an application that will search your device for certain types of high risk information. If any high risk information is found, you can use Spirion to shred, encrypt, or redact the file. For more information on Spirion and how it is used, please see the links below:
- What is Spirion (formerly Identity Finder) and why should I use Spirion (formerly Identity Finder) or any data inventory software?
- Obtain Spirion on the IS&T Software Grid
- Tips for using Spirion (formerly Identity Finder) at MIT
- Spirion - formerly Identity Finder - Frequently Asked Questions FAQ
Credit Card Processing
If you are accepting credit cards for payments, be sure you are working with VPF's Merchant Services. Credit card information is subject to the Payment Card Industry Data Security Standard (PCI-DSS) and it's important to maintain compliance.
Individual Health Information
Information on individual's health may be subject to HIPAA (Heath Insurance Portability and Accountability Act) or other policies and regulations. If you are using this data for research, be sure to contact COUHES (Committee on the Use of Humans as Experimental Subjects).
Export Controls
Export controls are U.S. laws and regulations that regulate and restrict the release of critical technologies, information, and services to foreign nationals, within and outside of the United States, and foreign countries for reasons of foreign policy and national security. The three main regulations are:
- International Traffic in Arms Regulations (ITAR) from the U.S. Department of State (Directorate of Defense Trade Controls) which covers items and services related to military/defense applications, including spacecraft and satellites.
- Export Administration Regulations (EAR) from the U.S. Department of Commerce (Bureau of Industry and Security) which covers "dual use" civilian/military items and technology.
- Office of Foreign Assets Control (OFAC) from the U.S. Department of the Treasury, which covers restrictions due to foreign trade embargoes and economic sanctions
If you think you may have Export Controlled data or technology, please contact MIT's Export Control Officer for more information.
Have Questions or Still Need Help?
- Contact the IS&T Service Desk