Protecting Data

On this page:
Why Protect Sensitive Data?
What is Sensitive Data?
How to Protect Sensitive Data

Why Protect Sensitive Data?

Protecting sensitive data is the end goal of almost all IT security measures. Whether you are putting a strong password on your computer, avoiding downloading harmful files, using virus protection software on your machine, or keeping your computer in a safe place, these all help to keep data from falling into the hands of people who may disclose it or use it for personal gain.

The two main reasons for protecting sensitive data are to avoid identity theft and to protect privacy. Identity theft occurs when someone uses your personal information without your permission to commit fraud or other crimes. In addition to identity theft, the improper disclosure of sensitive data can cause harm and embarrassment to students, faculty, staff and the Institute. Therefore, it is to everyone's advantage to ensure that sensitive data is protected.

What is Sensitive Data?

Data is assigned a level of sensitivity based on who should have access to it and how much harm would be done if it were disclosed. This assignment of sensitivity is called Data Classification.

Sensitive data can include among other items:

• Social Security Numbers
• Contracts
• Financial Information
• Credit Card Numbers
• Medical Records
  

How to Protect Sensitive Data

Learn and teach others about the level of sensitivity for the data being handled in your area and which guidelines should be followed as well as which legal regulations apply to this type of data (e.g. FERPA or HIPAA). Understand what you can do to protect this information and what the implications are of disclosure. In the event of a data breach, MIT has a notification process.

Sensitive data comes in many forms, such as electronic, printed, voice, fiche, etc. Here are a few suggestions that may help protect the Institute's sensitive data:

• Avoid copying or downloading sensitive data from the Institute's administrative systems to your desktop computer, laptop, web server, PDA, etc. unless absolutely required. Ensure you have permission from your department administrator before downloading.
• If downloading is unavoidable:
• • Remove the confidential part of the information from the data if possible (e.g., SSN).
  • Store the data on a secure server if available. Contact the IT support personnel for your department if you are unsure.
  • Encrypt data.
  • Password-protect data.
  • Physically protect devices that can be easily moved such as a PDA or laptop.
• Do not send unencrypted sensitive data via email. Email messages can be intercepted by third parties or inadvertently forwarded to those who have no authorization to view the data.
• Do not download or copy sensitive data to your home computer or other personal computer or device.
• Never store unencrypted sensitive data on a portable device.
• Protect printed sensitive data in a locked desk, drawer, or cabinet. Don't leave unattended sensitive data on a copier, fax machine, or printer. Shred sensitive data that needs to be discarded.
• Sanitize your computer before disposal or transfer of ownership according to the recommendations for secure media sanitizing.
• Learn more about protecting sensitive data at MIT.

[Thanks to East Carolina University for this list.]