Knowing where data resides
Protecting data is easier if you know where it is. It could reside in email, on external hard drives or in folders on your computer that have been saved over the years. Some data (such as passwords) could also reside in cached web files. Doing a simple search using the computer's built-in search utility tool will not find all of these sensitive pieces of information if you don't know what exactly to search for.
A software tool called Spirion (formerly Identity Finder) helps to find instances of data that could be sensitive. In particular it looks for passwords, credit card and bank account numbers, passport and driver's license numbers and Social Security numbers.
Sometimes we don't need the data stored on our computers to do our jobs. If it's sensitive and could be at risk of exposure, the best practice is to either delete it or store it somewhere safe, such as in a central database.
Don't just delete electronic files by putting them in the computer's trash bin. Access to those files may have been removed for the user, but the files could still remain somewhere on the hard drive and be retreived with a little effort. If you are removing sensitive files permanently from the device, be sure to erase these files securely.
Paper files with sensitive information require the same level of security. Use a cross-cut shredder or a service that guarantees safe removal and disposal for any paper files you no longer need.
Implement policies and best practices around access that can cover broad categories of devices (printers, USB drives, mobile devices, etc) as well as users (read-only access, super users, etc). Also add some fine-grained control that allows administrators to grant limited, restricted exceptions to databases and the central storage of data (such as limiting access to a certain time of day, remote system management, logs and shadow copy so that in the event of data loss there is an easy way to determine what exactly was removed and when).
Encryption and safe storage
Regulations of the data protection law of Massachusetts state that laptops and mobile devices that store sensitive data must be protected with encryption. Password protection is not enough, as most passwords can be quickly by-passed with the right tools. MIT's IT Security team recommends whole-disk encryption versus file or folder encryption because only one master passphrase is needed to decrypt an entire device. It also allows for a passphrase recovery, should a computer's user forget the password or leave MIT. FileVault (for Mac) is the encryption tool recommended by IS&T.