Protection of Hard Copy Files
In addition to removing PIRN from files where they are not required for business processes, recommended protective measures for paper, microfiche, or other non-computerized files include physically locking cabinets, drawers, offices and other areas containing these files.
Places where unsecured hard copy files collect (such as fax machines, copiers or mail rooms) must be monitored to minimize unauthorized access. Secure file destruction (such as using a cross-cut shredder or certified shredding service) ensures hard copy files with PIRN are never disposed of in regular trash or recycling bins.
Protection of Electronic Files - Minimum Security Standards
Massachusetts regulations 201 CMR §17.04 Computer System Security Requirements (see Appendix D) include a number of requirements related to the protection of electronic files.
MIT has developed a set of minimum IT security standards that – to the extent technically feasible – must be used for the protection of laptop and desktop computers, smart phones as well as mobile storage devices such as USB memory sticks that process, store, view or transmit PIRN.
While not an exhaustive list, below are technologies that, when used concurrently, would meet compliance requirements:
- Operating system and software updates
- Firewall configuration
- Virus and malware protection
- Protecting data in transit
- Physical security
- Data destruction/removal
- Data inventory
- Designation of workstations for specific functions
- Principle of least privilege
- Browser and email protections
- File server protections
For details on these standards, see the referenced document. Additional information can be found on the IS&T secure computing website.