1 / 13

A dialogue with FMUG: Sensitive Data & Filemaker

A dialogue with FMUG: Sensitive Data & Filemaker. MIT Policy and Data Classifications ** DRAFT ** Guidelines Feedback and Discussion Tim McGovern 2 June 2006. What is sensitive data?. Sensitive data is any information that requires special care, protection or handling as a result of

arion
Télécharger la présentation

A dialogue with FMUG: Sensitive Data & Filemaker

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A dialogue with FMUG:Sensitive Data & Filemaker MIT Policy and Data Classifications ** DRAFT ** Guidelines Feedback and Discussion Tim McGovern2 June 2006

  2. What is sensitive data? • Sensitive data is any information that requires special care, protection or handling as a result of • Federal or state law, or • MIT Policy 13.2.2 (http://mit.edu/policies/) • There may be other reasons as well, such as protection of MIT reputation, privacy of the individuals involved, etc. that lead to special care being taken.

  3. MIT Policy 13.2.2 says in part… • Individuals who manage or use the information and computing resources required by the Institute to carry out its mission must protect them from unauthorized modification, disclosure, and destruction. • Information--including data and software--is to be protected, regardless of the form or medium that carries the information. • Protection shall be commensurate with the risk of exposure and with the value of the information and of the computing resources.

  4. MIT’s Data Classifications • Extremely Sensitive Data -- significant risk • Sensitive Data -- moderate risk • MIT Only -- low risk • Public *** DRAFT ***

  5. Extremely Sensitive data are… • Data that, if disclosed, substantially increases the risk of • physical, • financial, • reputation, • legal or other harm • Such harm being directed to • individuals, groups or the Institute as a whole.

  6. Examples of Extremely Sensitive data: • Personally identifying information (PII): if a person's Social Security Number, along with name, is exposed, it could be exploited by identity thieves. Some states have passed laws requiring notification. • Protected health information (PHI): if a person’s medical history or status are exposed, it violates an individual’s fundamental right to privacy. It violates Federal HIPAA law. • Education records: if a student’s information is disclosed, it violates their privacy as defined under the Family Educational Records and Privacy Act (FERPA). • Responses to a Faculty Survey. If disclosed, it could result in damage to faculty careers!

  7. Sensitive Data are… • Those data that MIT may choose to keep confidential for Institute purposes, but whose disclosure does not substantially increase risk of physical, financial, reputational, legal or other harm to individuals, groups or the Institute as a whole. • Example: Salary information

  8. Institute Use Only Data are… • Those data that MIT provides to the MIT Community for general administrative use with the purpose of general efficiency. These data will often be made available in a manner that will result in their disclosure to non-MIT parties. In spite of that, the use/reuse of these data will usually be restricted on a case-by-case basis. • Example: Telephone Directory information (published). While this information is available in part online and in paper directories, reusing this information for telemarketing or similar purposes is prohibited. • Example: MIT ID Numbers (unpublished). While an individual’s specific MIT ID is not considered a secret, MIT does not publish lists of MIT IDs and the person that is associated with a particular ID.

  9. Information Protection Practices • Transmitting (or not) data safely • Storing data safely • Issues related to secondary storage locations • Backups, removable and transportable devices • Other issues • Media sanitizing • Theft

  10. Possible Guidelines for Transmitting Sensitive Data • To/from administrative applications • Encryption of content in transit required. • Achievable via encrypted tunnels like SSL for Web apps, for example. • By e-mail or file transfer (FTP) • Encryption of content required. • By Wireless/cellular technology • Do not transmit. • By FAX • FAX Machine must have limited physical access or a person authorized to view the specific sensitive data being sent will be present when the data is transmitted. • By Voice Mail • Do not leave restricted information in voice mail message. Don’t forget you can now have your voice mail messages forwarded to your email, so see above. Always request call back when you need to convey sensitive data.

  11. Possible Guidelines for Storing Sensitive Data • Storage on fixed media with access controls • No encryption required, with the exception of credit card / bank account information. • Storage on fixed media without access controls, but accessible via the web • Not allowed! Fixed media refers to permanently installed hard drives in desktop or server machines.

  12. Possible Guidelines for Storing Sensitive Data • Storage on fixed media without access controls, but not accessible via the web • Not advised. If restricted data must be stored on such devices, the devices must be stored in a secured location when not in use ( EX: Store data on a removable drive and lock in desk when not in use). • Storage on removable media* • Store in secured location when not in use. • Print hard copy report of information • Unattended printing permitted only if physical access controls are used to prevent unauthorized viewing. Removable media refers to the kinds of media that by their nature are not permanently installed, some examples include floppy disks, zip disks, CDs, DVDs, flash drives, DAT tapes, etc.

  13. Discussion How Does Filemaker 6 or 8 meet these needs?

More Related