Risk Level: Medium Risk

  • Secure destruction

    by

    Destroy devices and media that are no longer needed in a way such that no information can be recovered.

  • Data Retention

    by

    Observe applicable data retention policies upon project completion. Securely delete the information if possible. If you must retain a copy of information at this level, ensure that it remains secure.

  • Anonymize information

    by

    Anonymize information whenever possible and separate access to identified and de-identified data sets. For physical media store identified information in a separate locked file cabinet.

  • Code review

    by

    If you are developing (or contracting a vendor to develop) applications processing this level of information, review code and correct flaws prior to deployment.

  • Security by design

    by

    If you are developing (or contracting a vendor to develop) applications processing this level of information, include security as a design requirement.

  • Self Assessment

    by

    Review your systems and procedures regularly to ensure the tasks for this risk level are applied.

  • Incident Reporting

    by

    Promptly report actual or suspected compromise, including loss, theft, improper use, modification of, or access to information to security@mit.edu.

  • Mailing physical media

    by

    Use appropriately secure means when transferring physical media containing information. Track transfers to confirm that they reached the intended recipient.

  • Copiers & shared devices

    by

    Remove information on copiers, fax machines, or other shared devices promptly.

  • Encrypt passwords

    by

    Store and transmit only encrypted passwords.