MIT s Information Security Program for Protecting Personal Information Requiring Notification (Revision date: 2/26/10)
Table of Contents 1. Program Summary... 3 2. Definitions... 4 2.1 Identity Theft... 4 2.2 Personal Information Requiring Notification (PIRN)... 4 3. Other Related Rules and Regulations... 4 3.1 Family Educational Rights and Privacy Act (FERPA)... 4 3.2 Payment Credit Industry Data Security Standards (PCI DSS)... 4 3.3 Health Insurance Portability and Accountability Act (HIPAA)... 4 3.4 Gramm Leach Bliley Act (GLBA)... 4 3.5 FACTA "Red Flag Rules... 4 4. Roles... 5 4.1 Program Oversight... 5 4.2 Business Process Owners... 5 4.3 System Owners... 5 4.4 Department Heads and Other Managers... 5 4.5 Individuals with Access to PIRN... 5 4.6 Data Incident Response Team (DIRT)... 6 4.7 Information Technology Security Services (ITSS)... 6 5. Minimizing PIRN on Campus... 6 5.1 Understanding Where PIRN Is... 6 5.2 Limiting Access to PIRN... 6 6. Awareness, Training and Education... 7 7. Third-Party Assurances... 7 8. Protection of Hard Copy Files... 7 9. Protection of Electronic Files... 8 10. Monitoring and Enforcement... 8 Appendix A: Program Oversight Responsibilities... 9 Appendix B: Data Incident Response Team (DIRT)... 10 Appendix C: Incident Response... 11 Appendix D: Massachusetts General Laws Chapter 93I: Section 2. Standards for disposal of records containing personal information; disposal by third party; enforcement... 12 Appendix E: 201 CMR 17.04 Computer System Security Requirements... 13 Last Updated: 2/26/10 11:19 AM 2
1. Program Summary This Information Security Program 1 has been adopted in accordance with chapter 93H of the Massachusetts General Laws and corresponding regulations setting forth Standards for the Protection of Personal Information of Residents of the Commonwealth (201 CMR 17). These regulations apply to certain types of personal information that are commonly encountered in MIT business processes. The Massachusetts regulations identify personal information that if exposed may put the identified individuals at risk of identity theft [2.1]. The regulations require the affected individuals be notified when this information is exposed as a result of unauthorized use or a security breach. In this document we refer to this information as Personal Information Requiring Notification or PIRN [2.2]. This Program applies to any area of MIT where PIRN, whether maintained in paper hard copy, electronically or in any other media, is collected, edited, manipulated, reviewed, reported, disposed of or stored. 2 It is the responsibility of all members of the MIT community to be aware when they are handling PIRN and to understand and follow the processes defined in or referenced from this document. For business processes and systems with PIRN, it is the responsibility of each Business Process Owner [4.2] or System Owner [4.3] to define the specifics of how the information in their stewardship will be protected, and to ensure anyone using the process or system is familiar with the protection protocol. MIT's general approach to protecting PIRN is based on three pillars: 1. Minimizing the collection and storage of PIRN as well as limiting access on a need to know basis. Minimizing the collection and storage of PIRN will reduce the chance of its compromise by both limiting the number of staff members who have to handle this information, and reducing the likelihood of a mistaken disclosure. It will also reduce the risk of a technological compromise of electronic PIRN, either via hacking, mistaken processing of data or loss of media containing such information. 2. Increasing staff awareness of data management along with providing appropriate education on how to protect PIRN. Educating and making staff aware of how to handle PIRN will help better protect it from disclosure or compromise. 3. Utilizing industry best practices in the management of the technology surrounding the processing and storage of PIRN. MIT makes use of and will continue to improve upon technology best practices to protect personal information, both at rest (while on storage media) and in transit (while being processed or communicated among both computer systems and people.) 1 This Program may also be referred to as WISP (Written Information Security Program). 2 Some departments and laboratories have the responsibility to develop policies and procedures that pertain to special circumstances. For example, access to government-classified material at Lincoln Laboratory requires establishing specific procedures. In such cases, this Program is considered the minimally acceptable level of protection and control. Last Updated: 2/26/10 11:19 AM 3
2. Definitions 2.1 Identity Theft MIT s Information Security Program for Identity theft is the illegal use of another person s identifying information in order to steal money or get other benefits. 2.2 Personal Information Requiring Notification (PIRN) PIRN, which is currently equivalent to personal information under Massachusetts 201 CMR 17, is defined in this Program as a person's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such a person: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident s financial account; provided, however, that PIRN shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public. 3. Other Related Rules and Regulations In addition to Massachusetts regulations, handlers of PIRN should also be aware of these other laws and regulations regarding personal information: 3.1 Family Educational Rights and Privacy Act (FERPA) Although student education records which include an individual's Social Security number, financial account number or other PIRN are covered by this Information Security Program, all student records, regardless of whether they contain PIRN, are also subject to the requirements of FERPA. For more information, see MIT s Student Information Policy. [http://web.mit.edu/policies/11/sip.html] 3.2 Payment Credit Industry Data Security Standards (PCI DSS) Personal credit card information is PIRN and is covered by this Information Security Program. Additionally, MIT merchants who accept personal credit cards must also follow MIT's Merchant Policies that include MIT's PCI DSS Policy. [https://web.mit.edu/chargemit/secure/policies/index.html] 3.3 Health Insurance Portability and Accountability Act (HIPAA) For information about protected health information maintained by MIT Medical, see MIT's Medical Privacy page and MIT's Medical Privacy Policy. [http://medweb.mit.edu/about/privacy/] 3.4 Gramm Leach Bliley Act (GLBA) The GLBA requires financial institutions to adopt certain privacy safeguards. Insofar as covered transactions under GLBA include an individual's financial account number, this Information Security Program would also cover them. 3.5 FACTA "Red Flag Rules Section 114 of the Fair and Accurate Credit Transactions Act (FACTA), also known as the Red Flag Rules, requires that all organizations subject to the legislation must develop and implement a written "Identity Theft Prevention Program" to detect, prevent and mitigate identity theft in connection with the opening of certain new and existing accounts. Last Updated: 2/26/10 11:19 AM 4
In accordance with federal regulations, MIT has adopted an Identity Theft Prevention Program [http:// web.mit.edu/infoprotect/docs/mit-red_flag_prog.pdf]. The safeguards referenced in the Identity Theft Prevention Program are the same as the minimum-security standards referenced in this Program. 4. Roles MIT s Information Security Program for 4.1 Program Oversight Oversight and maintenance of the Written Information Security Program is the responsibility of the Head of Information Services & Technology, the Vice President and General Counsel and the Institute Auditor. This group will carry out responsibilities as described in Appendix A. 4.2 Business Process Owners Senior MIT Managers ("Business Process Executives") who have the functional or organizational responsibility for process(es) involving PIRN are expected to designate one or more Business Process Owners. Business Process Owners should have awareness of the relevant regulatory and compliance issues, as well as the responsibility and authority for defining the rights of others to collect, use, or store data during the process execution. To the extent that IT systems are used as part of the process, Business Process Owners will work with System Owners [4.3] to ensure that appropriate tools and controls are in place to enforce the desired policies. Business Process Owners may further delegate specific responsibilities; however, in the event of a data incident or questions about policy, both the Business Process Executive and the Business Process Owner are accountable for the outcome. 4.3 System Owners Senior IT Managers who have responsibility for the systems supporting business process(es) involving PIRN are expected to designate one or more System Owners. System Owners should have awareness of IT parameters used to support the regulatory and compliance issues, and the technology used to implement the policies with regard to collecting, using or storing the data during the process execution. System Owners will generally take policy direction from the Business Process Owner. System Owners may delegate specific responsibilities, however, in the event of a data incident or questions about controls, the System Owner and Senior IT Manager are expected to be part of the discussions. 4.4 Department Heads and Other Managers Department Heads and other Managers have a responsibility for ensuring that the individuals in their areas who are accessing or dealing with business processes involving PIRN are aware of the requirements for handling PIRN, and to provide them with awareness, training, and education opportunities [see 6]. Department Heads and Managers are also expected to provide appropriate technical support such as software tools and fully trained IT support staff to facilitate compliance. 4.5 Individuals with Access to PIRN Individuals with access to PIRN should be aware of this Program so that they can follow appropriate steps to protect PIRN in hard copy, electronic or other forms. Computer security is of particular importance Last Updated: 2/26/10 11:19 AM 5
when protecting electronic files. Individuals are encouraged to work with the System Owners or local technical support staff who can provide security solutions or recommendations. Many departments have a local IT support group or an arrangement with IS&T. 4.6 Data Incident Response Team (DIRT) The Data Incident Response Team (DIRT) is notified when a possible breach of PIRN or other sensitive information is suspected. DIRT coordinates MIT's response, if any, to a possible security breach. More information about DIRT is in Appendix B. 4.7 Information Technology Security Services (ITSS) Information Technology Security Services (ITSS) is a support team within IS&T. ITSS is the first technical team notified in the event of a suspected computer or network intrusion that may involve PIRN or other sensitive information covered by MIT policy. ITSS evaluates the technical specifics of each event and notifies DIRT when a breach of PIRN is suspected. More information about ITSS and information security is online [http://ist.mit.edu/security]. 5. Minimizing PIRN on Campus 5.1 Understanding Where PIRN Is Each Business Process Owner or System Owner is expected to: Understand why PIRN is needed, and to limit the amount of PIRN that is collected to that which is reasonably necessary to accomplish the legitimate purpose for which it is collected. Understand the data flows, including hard copy and electronic, where data is stored, used or transmitted, whether files are distributed or centralized. Determine appropriate record retention for PIRN (which may be for a shorter time period than other information in the record). Ensure that when electronic and hard copy records are redacted, deleted or destroyed, this is done in such a way that PIRN can not be practicably read or reconstructed. Appendix D sets forth specific legal requirements for the deletion or destruction of records that contain PIRN. When a new business requirement for handling PIRN develops, Business Process Owners are expected to update processes and protocols as appropriate and keep Business Process Executives informed. Business Process Owners or System Owners may delegate the above responsibilities to one or more individuals who have received training or education in information security and privacy. 5.2 Limiting Access to PIRN Each Business Process Owner or System Owner will establish a protocol that defines the rules, processes and/or systems for: Limiting access to only authorized and authenticated individuals who need PIRN to conduct MIT business. 3 Removing access when it is no longer needed, such as in the event of employment termination or job change. 3 Limits on access should not preclude cross-departmental collaborations and data exchanges on an as-needed basis; authorized sharing of information from a single source has lower risk of exposure compared to duplicative data stores. Last Updated: 2/26/10 11:19 AM 6
Periodically reviewing who has access to ensure it is in alignment with current business needs, done at least annually. Updating each individual's authentication key (e.g., password, certificate, etc.) at least annually. Determining whether remote access will be allowed and, if so, ensure controls exist to protect the security and confidentiality of PIRN. Securing electronic and hard copy files when stored or during transmission, as well as understanding that electronic files that contain PIRN should not be transmitted over MITnet or the Internet unless secured. 4 Logging and monitoring access to detect unauthorized attempts to access PIRN, as well as inappropriate access by authorized individuals. Business Process Owners and System Owners may delegate the above responsibilities to one or more individuals who have received training or education in information security and privacy. 6. Awareness, Training and Education Program oversight responsibilities include providing communication, appropriate documentation and sufficient training related to the Information Security Program. Each Business Process Owner or System Owner will take steps to ensure those authorized to access PIRN have received training in the specific responsibilities and procedures associated with that area. They will also ensure that one or more individuals in those areas receive training or education in information security and privacy. Department managers and supervisors will take steps to ensure that individuals in their area who are working with processes involving PIRN have appropriate and sufficient training, as well as access to relevant tools and IT support services to enable compliance with this Program. Individuals are expected to be aware when they are part of a process that includes PIRN. They are also expected to avail themselves of relevant training and guidance offered by Business Process Owners, System Owners or their department. 7. Third-Party Assurances Each Business Process Owner or System Owner must undertake reasonable steps to verify that third-party service providers with access to PIRN have the capacity and the commitment to protect such information in accordance with Massachusetts law and regulations. Service providers should be aware of MIT s responsibilities to protect PIRN. Contracts must include appropriate clauses that require service providers to implement and maintain appropriate security measures to protect PIRN as well as language that ensures the design of secure systems and data handling processes. MIT s Procurement Office can provide assistance with contract language. 8. Protection of Hard Copy Files In addition to removing PIRN from files where they are not required for business processes, recommended protective measures for paper, microfiche, or other non-computerized files include physically locking cabinets, drawers, offices and other areas containing these files. Places where 4 To remain compliant, electronic files that contain PIRN must be encrypted during transmission over MITnet or the Internet. See Appendix E. Last Updated: 2/26/10 11:19 AM 7
unsecured hard copy files collect (such as fax machines, copiers or mail rooms) must be monitored to minimize unauthorized access. Secure file destruction (such as using a cross-cut shredder or certified shredding service) ensures hard copy files with PIRN are never disposed of in regular trash or recycling bins. Further recommendations can be found online [http://web.mit.edu/infoprotect]. 9. Protection of Electronic Files Massachusetts regulations 201 CMR 17.04 Computer System Security Requirements (see Appendix E) include a number of requirements related to the protection of electronic files. MIT has developed a set of minimum IT security standards that to the extent technically feasible must be used for the protection of laptop and desktop computers, smart phones as well as mobile storage devices such as USB memory sticks that process, store, view or transmit PIRN. While not an exhaustive list, below are technologies that, when used concurrently, would meet compliance requirements: Operating system and software updates Firewall configuration Virus and malware protection Passwords Protecting data in transit Encryption Physical security Data destruction/removal Backups Data inventory Designation of workstations for specific functions Principle of least privilege Browser and email protections File server protections Further recommendations as well as reviewed tools and applications for the protection of electronic PIRN can be found online [http://web.mit.edu/infoprotect]. 10. Monitoring and Enforcement Each year, MIT will review this Program to ensure that it is operating in a manner reasonably calculated to prevent unauthorized access to or use of PIRN. Information safeguards will be updated as necessary to limit risks. Compliance with this Program will be reviewed as part of regularly scheduled operational and IT audits conducted by MIT's Audit Division. MIT employees whose behavior is inconsistent with this Program will be subject to MIT disciplinary action, up to and including termination. See MIT HR Policy 6.3 Termination for Poor Performance or Failure to Comply with Institute Policies [http://hrweb.mit.edu/policy/6/6-3.html]. Enforcement actions relative to MIT faculty, students, temporary employees or others who compromise the protection of PIRN will be addressed on a case-by-case basis. Last Updated: 2/26/10 11:19 AM 8
Appendix A: Program Oversight Responsibilities Oversight and maintenance of the Written Information Security Program is the responsibility of the Head of Information Services & Technology, the Vice President and General Counsel and the Institute Auditor. Responsibilities of this group include: Annually reviewing the effectiveness of the Information Security Program; Apprising the MIT's Audit Committee of any significant incidents, or changes in the Information Security Program; Overseeing communication and training; Updating the Program, policies, guidelines and standards as needed; Participating in any data breach de-briefing; Sponsoring/overseeing one or more working groups, as circumstances require, to see that these Program responsibilities are achieved. Meetings: MIT s Information Security Program for This group is not required to meet on an established frequency, but will convene as needed to respond to changing regulations, business conditions, data incidents, significant audit findings, or other incidents that may prompt discussion. This should occur no less than annually. Last Updated: 2/26/10 11:19 AM 9
Appendix B: Data Incident Response Team (DIRT) In order to respond to and recover from data security breaches, MIT established a Data Incident Response Team in the Fall of 2007. When a compromise of data is suspected, a report is sent to DIRT, whose responsibilities are to: Alert: Immediately notify all members of the team that a possible data incident occurred. Subsequently, keep the team members aware of the status of the incident. Respond: Get in touch with the contact person for the machine in question -- if related to an electronic data incident -- to remove it from the network. Investigate: Determine as soon as possible the full scope of the incident: what types of data were involved, the cause of the problem, and if PIRN had been exposed. Notify: If an incident leads to exposure or if the team has reason to believe that information was acquired or used by unauthorized persons for an unauthorized purpose, the team initiates appropriate notification processes, in accordance with relevant laws, regulations, and contract requirements, so that counter-measures can be taken to protect the affected individuals against fraud and identity theft. Document: Any actions taken in connection with an incident are documented and a post-incident review of events is conducted in order to record changes in business practices relating to the protection of PIRN. Last Updated: 2/26/10 11:19 AM 10
Appendix C: Incident Response Although MIT hopes that its efforts at protecting personal information will result in no compromises of PIRN or other sensitive information, compromises may still happen. It is just as important that MIT handles such incidents properly. 5 From time to time, the IT Security Services team receives reports that a computer containing personal information is at risk of being compromised, or that a computer account has been used in a way that exposed personal information. Compromises can happen when a computer is running an outdated and unpatched operating system. Indications of a compromise include alerts from anti-virus and anti-malware software. Some signs of compromise are subtle and no alerts may be generated. Other ways information could be disclosed are through loss or theft of laptops and other storage devices, web searchable Athena Lockers, unencrypted documents and databases, weak passwords, lack of access controls, and data on disposed hard drives. Information contained on hard copy files can be exposed as well if not properly secured. Individuals should avoid trying to address situations on their own, as they may corrupt forensic information necessary to determine the scope of the issue and the risks to MIT. If you believe a breach of PIRN may have occurred, immediately report the incident by sending email to infoprotect@mit.edu. If you have received a notice that a computer has a possible compromise, follow the instructions in the notice. The incident responders will work through a process to determine if a reportable breach has occurred, and will engage MIT's Data Incident Response Team as appropriate. Detailed instructions for reporting and handling a potential compromise of PIRN can be found online: [http://ist.mit.edu/security/support/data_breach]. 5 MIT may decide to send out a notice even if there is no confirmation that a breach of security resulted in unauthorized exposure of PIRN. It may also send out a notice if information is exposed that does not fall under the definition of PIRN, but is still considered sensitive. In those cases, notification decisions will be made on a case-bycase basis. Last Updated: 2/26/10 11:19 AM 11
Appendix D: Massachusetts General Laws Chapter 93I: Section 2. Standards for disposal of records containing personal information; disposal by third party; enforcement [Note: Up-to-date version may be found at http://www.mass.gov/legis/laws/mgl/93i-2.htm] Section 2. When disposing of records, each agency or person shall meet the following minimum standards for proper disposal of records containing personal information: (a) paper documents containing personal information shall be redacted, burned, pulverized or shredded so that personal data cannot practicably be read or reconstructed; (b) electronic media and other non-paper media containing personal information shall be destroyed or erased so that personal information cannot practicably be read or reconstructed. Any agency or person disposing of personal information may contract with a third party to dispose of personal information in accordance with this chapter. Any third party hired to dispose of material containing personal information shall implement and monitor compliance with policies and procedures that prohibit unauthorized access to or acquisition of or use of personal information during the collection, transportation and disposal of personal information. Any agency or person who violates the provisions of this chapter shall be subject to a civil fine of not more than $100 per data subject affected, provided said fine shall not exceed $50,000 for each instance of improper disposal. The attorney general may file a civil action in the superior or district court in the name of the commonwealth to recover such penalties. Last Updated: 2/26/10 11:19 AM 12
Appendix E: 201 CMR 17.04 Computer System Security Requirements [Note: Up-to-date version may be found at http://www.mass.gov/eoca/docs/idtheft/201cmr1700reg.pdf] Every person that owns or licenses personal information about a resident of the Commonwealth and electronically stores or transmits such information shall include in its written, comprehensive information security program the establishment and maintenance of a security system covering its computers, including any wireless system, that, at a minimum, and to the extent technically feasible, shall have the following elements: (1) Secure user authentication protocols including: (i) control of user IDs and other identifiers; (ii) a reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices; (iii) control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect; (iv) restricting access to active users and active user accounts only; and (v) blocking access to user identification after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system. (2) Secure access control measures that: (i) restrict access to records and files containing personal information to those who need such information to perform their job duties; and (ii) assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls. (3) Encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly. (4) Reasonable monitoring of systems, for unauthorized use of or access to personal information. (5) Encryption of all personal information stored on laptops or other portable devices. (6) For files containing personal information on a system that is connected to the Internet, there must be reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the personal information. (7) Reasonably up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis. (8) Education and training of employees on the proper use of the computer security system and the importance of personal information security. Last Updated: 2/26/10 11:19 AM 13