|
Volume
21
No.
5  May/June
2006
Safe Computing: Tips for Handling Sensitive Data
Tim McGovern
Many MIT faculty, students, and staff handle sensitive data
on a routine basis. This data includes not only personal identifiers – such
as birthdates, Social Security numbers, and home addresses – but
also medical records, academic records (such as grades), salary information,
and research data and other intellectual property.
Sensitive data is often stored in electronic format, which can make
it more vulnerable to exposure. This article recommends some guidelines
for handling this data more safely.
Data Stewards and Distributed Data
MIT collects and stores sensitive data in large central administrative
systems – MITSIS, SAP HR, and the like. Departments, laboratories,
and research centers (DLCs) may also record some of the centrally maintained
data to support local decision-making and planning. The central administrative
data stewards ensure that proper safeguards are in place for their databases.
DLC staff must ensure that they have implemented corresponding safeguards.
This includes both protection for data that is stored and protection
for data that is being transmitted from one person or place
to another.
Protecting Stored Data
When you include sensitive data in any electronic files (e.g., Word,
Excel, FileMaker, Access), make sure that the computer on which those
files are stored is configured to require a strong username/password.
For better protection, you can also assign passwords for databases and
spreadsheets.
If you store files that contain sensitive data on removable media
such as flash drives, writable CDs, or DVDs, keep these in a secure location
when not in use. Printed copies of sensitive data require the same level
of protection.
It’s not a good idea to run web servers on any computer where
sensitive data resides, particularly personal computers, as these tend
to be more vulnerable to hacking than MIT’s
enterprise systems.
Protecting Transmitted Data
When conducting Institute business, you may need to send sensitive data
to another office. Most of MIT’s central administrative applications
use encryption to protect data as it travels from your office to the
central database. Use of Kerberos usernames and passwords
or MIT certificates ensures that only authorized maintainers can make
changes.
Since MITnet and other networks are subject to interception by outsiders,
sending sensitive data without encryption is strongly discouraged.
- Don’t send sensitive files as email attachments unless
they are protected.
- Don’t discuss confidential and sensitive matters over
mobile phones.
- Don’t fax sensitive documents unless you know that
the receiving fax is secure (i.e., only appropriate individuals have
access).
- Don’t use voice mail to convey sensitive information
unless you know that the message is secure. To be on the safe side,
request
a call
back when you need to provide sensitive data to others.
is&t
Home |
is&t
Back Issues | Volume
21 | No.
5
|
![[i/s Home]](/ist/isnews/pictures/ishome.gif){kind=small}
![[Distribution]](/ist/isnews/pictures/distribution.gif){kind=small}
![[Search]](/ist/isnews/pictures/search.gif){kind=small}
![[Back Issues]](/ist/isnews/pictures/backissues-selected.gif){kind=small}
![[Publications]](/ist/isnews/pictures/publications.gif){kind=small}
![[Feedback]](/ist/isnews/pictures/feedback.gif){kind=small}
