Protecting MIT Data T. McGovern, M. Yeaton, M. Halsall, S. Burke, B. DiMattia State Laws & Regulations General Laws, Chapter 93H: Massachusetts Data Breach Law, outlines when to notify (2007) 201 CMR 17.00: Regulations for Massachusetts Data Breach Law (2010)
Federal Laws FERPA - Family Educational Rights & Privacy Act PCI-DSS - Payment Card Industry Data Security Standards HIPAA - Health Insurance Portability & Accountability Act GLBA - Gramm Leach Bliley Act MIT Policies MIT Policy 11.0 on Privacy & Disclosure of Information MIT Policy 13.2 on Use of Information Technology FACTA Red Flag Rules - MIT Identity Theft Prevention Program
PIRN PIRN = Personal Information Requiring Notification Social Security Numbers Driver s Licenses Health Records (PCI) Credit Card & Bank Account Numbers WISP WISP = Written Information Security Program Applies to any area where PIRN is reviewed, manipulated, deleted or stored Outlines roles for Business Process Owners and System Owners defining how to protect data in their stewardship web.mit.edu/infoprotect/wisp
Where MIT has PIRN Human Resources (Benefits, SAP, Data Warehouse, etc) Student Services (Admissions, SFS, Registrar, etc) Financial (Payroll, Accounts Payable, Procurement, etc) Medical (MIT Medical, Benefits) Where MIT has PIRN (cont.) IT (Enterprise Systems, Departmental Databases, etc) MIT Merchants accepting credit cards DLC Administration Academic & Research Areas
Finding the Data If you don t know where it is, you can t protect it. Search Data Tool Identity Finder - runs and reports back any sensitive data it finds, and lets user take appropriate action
Identity Finder Seeks: passwords, social security numbers, credit card numbers, bank account numbers Actions: redact, shred, encrypt
Protecting PIRN in DUE/DSL Our Collective Responsibility
Methods employed to protect data General Computer Policies OS/Security updates and patches applied Virus Protection/Firewalls turned on Required Login Eraser (PC); Secure Empty Trash (Mac) Laptop Policies/Requirements STOP! security tags Security cables Behavioral Change: Consistent use of security cables PGP Whole Disk Encryption Behavioral Change: No traveling in sleep mode Using Identity Finder in DUE/DSL Staff are required to run Identity Finder at least once a month (more often as determined by the dept. head). Staff must eliminate or secure sensitive data. Staff may not choose ignore for any occurrences of sensitive data. An action to remove or secure is required. To retain PIRN staff may need authorization from their dept. head or manager.
DUE/DSL Staff Guidelines Any suspicion of a virus infection must be reported immediately - no waiting. Stop using the computer. Disconnect the ethernet cable or disable wireless (Stop the network traffic.) Leave the computer on so IT staff can view the behavior. 19 Locking Down the Data If you can t protect it, don t collect it.
Encryption PGP Desktop Whole Disk Encryption - protects hard disk when computer is turned off PGP Desktop Installation Misconceptions / caveats Support
Minimizing the Data You can t lose what you don t have. Redaction Removing the sensitive bits from Excel, Word, FileMaker, PDF files When the data is not necessary to run tasks
Secure Delete Macs have secure deletion built in: secure empty trash or Disk Utility PCs can use third-party software: PGP Shred, Eraser, DBAN, etc Services for IT asset disposal IT Asset Disposition
PRODUCT PROCUREMENT REVERSE SUPPLY CHAIN SOLUTIONS IT ASSET DISPOSITION IT Asset Disposition Massachusetts Institute of Technology Agenda Who is Converge Protecting the MIT Brand and MIT s Data Converge - Asset Manager Remarketing and revenue generation Ease of doing business 28
Converge Global Headquarters 4 Technology Drive Peabody, Massachusetts United States 29 Arrow Electronics & Converge Founded in 1935, incorporated in 1946, public in 1961 New York Stock Exchange: ARW 2009 Sales: 14.7 billion Fortune 500 ranking of 151 Worldwide presence: in 51 countries and over 350 locations Over 11,300 employees Worldwide customers 125,000 Corporate Headquarters: Melville, New York 30
Converge ITAD Objectives ITAD Objectives For Our Clients: 1) Mitigate Data Security Risks 2) Ensure Environmental Compliance 3) Optimizing the disposition of end-of-life technology - Maximize value - Minimize costs Converge s goal is to protect Clients brand names from costly fines, penalties and/or litigation due to a data security breach or environmental non-compliance. 31 Converge IT Asset Disposition (ITAD) Full suite of secure, compliant end-of-life IT asset disposition services Global coverage Secure transportation Data security: erasure & destruction Environmental compliance / recycling Remarketing of systems and components Redeployment / donations Lease return services Reporting Exclusive Web-based Asset Manager system allows client to securely manage their ITAD program in real time - from pickup to final disposition 32
Strict Recycling Policy Utilize only EPA-recognized e-waste disposal methods and provide certification that all materials have been processed in an environmentally compliant manner following our electronic waste recycling policy: Zero landfill Zero incineration Zero waste exported Reuse of all reclaimed base materials Certificates of recycling are issued to demonstrate that assets have been properly disposed of and recycled. 33 Certifications ISO9001 ISO14001 OHSAS18001 Health & Safety ANSI/ESD S20.20 Electronics Discharge Certified Customs-Trade Partnership Against Terrorism International Association of IT Asset Managers Member Microsoft Registered Refurbisher Certifications In Process National Association of Information Destruction Responsible Recycling IDC G.R.A.D.E. Green Recycling and Asset Disposal for the Enterprise 34
Comprehensive ITAD Services Logistics: Scheduling Onsite preparation, packing, and palletizing Secure transportation Ensure import/export compliance Processing: Asset registration and sanitization Data erasure / hard drive shredding Testing 35 Disposition Methods Utilized: Asset remarketing Donation services Re-deployment services Complaint recycling (zero landfill,zero e-waste export) Lease return services Asset Manager Tracking System Secure, web-based scheduling, tracking, and reporting Real-time chain-of-custody tracking Easy to use search tools Asset level reporting Compliance documents Certificate of Recycling Certificate of Destruction Certificate of Erasure Certificate of Donation Over 50 standard reports Customized reporting available Global view 24x7x365 36
Questions? 37 Thanks for your time today! Please call me with any questions or to schedule a Converge Asset Manager Demonstration Bob DiMattia Robert.dimattia@converge.com 978-538-8062 work 978-490-4179 cell 38