Data Security is Fundamental
Data security is crucial to all academic, medical, and business operations at MIT. All existing and new business and data processes should include a data security review to be sure MIT data is safe from loss and secured against unauthorized access.
Protecting information is easier said than done, but the efforts can be mitigated by raising awareness of data security issues and implementing a security program, such as the WISP that outlines how the MIT community can protect its sensitive and confidential information.
There is no silver bullet solution for protecting data. It involves knowing where sensitive data resides, what kind of data it entails, whether the data needs to be retained, how and where to store the data that is kept, and how to make the accessing and sharing of this information secure. When data is no longer needed, appropriate steps need to be made to remove it.
Create a plan to review your data security status and policies. Create routine processes to access, handle and store the data safely as well as archive unneeded data. Make sure you and your colleagues know how to respond if you have a data loss or data breach incident.
Know What Data You Have
You can't protect what you don't know you have.
The first step to data protection is knowing what data you have and what levels of protection are required to keep the data confidential and safe from loss.
Scale Down the Data
If you don't need it, don't keep it.
Keep only the data you need for routine business, safely archive older data, and remove it completely from all computers and other devices (smart phones, laptops, flash drives, external hard disks).
Physical security is the key to safe and confidential computing. All the passwords in the world won't get your laptop back if it was stolen. Back up the data to a safe place in the event of loss or theft and ensure the laptop is encrypted if it contains sensitive information.
In the Event of a Data Breach
Sometimes even the most precautionary steps will not prevent data from being exposed. If a data breach does occur, do you know how to notify the appropriate people? What are the implications of disclosure? In the event of a data breach, MIT has a notification process.