Protecting MIT Data. State Laws & Regulations. T. McGovern, M. Yeaton, M. Halsall, S. Burke, B. DiMattia

Similar documents
MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

Arrow IT Asset Disposition Trends Report

TABLE OF CONTENTS MRK GROUP LTD CAPABILITIES 2 GSA AWARDED TERMS AND CONDITIONS 3 AWARDED GSA PRICE LIST 6

A Guide to Minimizing the Risk of IT Asset Disposition

That s why outsourcing using a Qualified Contractor is the best solution to the problem of assuring a compliant hard drive destruction audit trail.

Building an ITAD Program:

Written Information Security Plan (WISP) for. HR Knowledge, Inc. This document has been approved for general distribution.

Secure Mobile Shredding and. Solutions

Table of Contents 01 How to minimize cost in the ITAD Process. 02 Four ways to maximize investment recovery

State of Vermont. Digital Media and Hardware Disposal Standard. Date: Approved by: Policy Number:

MEDIA AND IT ASSET DISPOSITION: YOUR GUIDE TO SELECTING A SUPPLIER

CSR Breach Reporting Service Frequently Asked Questions

Client Advisory October Data Security Law MGL Chapter 93H and 201 CMR 17.00

UTAH STATE UNIVERSITY POLICIES AND PROCEDURES MANUAL

Information Security Policy

E-waste Challenges & Solutions

Page 1. Copyright MFA - Moody, Famiglietti & Andronico, LLP. All Rights Reserved.

Protecting Personal Information: The Massachusetts Data Security Regulation (201 CMR 17.00)

Data Security for ITAD, Corporate & Consumer Electronics

Managing and Automating Data Erasure for Mobile Devices: STRATEGIES FOR RECYCLERS AND IT ASSET DISPOSAL SPECIALISTS

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

Responsibly Retiring IT Assets, Medical or Laboratory Equipment

Value Recovery Enterprise IT Asset Disposition

MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP)

The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance

CENTRALLY MANAGED PROCESS MINIMIZING RISK MAXIMIZING REMARKETING VALUE

PII Personally Identifiable Information Training and Fraud Prevention

Wellesley College Written Information Security Program

DOCUMENT CURRENT VENDORS AND CONTRACTS 2014 IT ASSET DISPOSITION PLAN

Value Recovery. arrow.com

Hamilton College Administrative Information Systems Security Policy and Procedures. Approved by the IT Committee (December 2004)

Form #57, Revision #4 Date 7/15/2015 Data Destruction and Sanitation Program. Mobile (ON-SITE) Data Destruction/Shredding Services

Understanding Data Destruction and How to Properly Protect Your Business

Data Protection, Privacy and the Law. Presented for Data Privacy Month 2013 Presented by Tim Gurganus, OIT And Clifton Williams, OGC

PII = Personally Identifiable Information

Information Technology Services Guidelines

Smith College Information Security Risk Assessment Checklist

Asset Management Ireland (AMI) The secure IT Asset Disposal Company that generates revenue for your business

HIPAA Training for Hospice Staff and Volunteers

Research Support Council (RSC) - What Data is Sensitive and How

b. USNH requires that all campus organizations and departments collecting credit card receipts:

Rowan University Data Governance Policy

Asset Management Equipment Redeployment And Termination Services. A Service Offering From Data Center Assistance Group, Inc.

Critical Data Guide. A guide to handling critical information at Indiana University

PCI Security Awareness for ECU Payment Card Merchants

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

HIPAA Training for Staff and Volunteers

HIPAA Privacy and Security. Rochelle Steimel, HIPAA Privacy Official Judy Smith, Staff Development January 2012

Dartmouth College Merchant Credit Card Policy for Managers and Supervisors

8/17/2010. Over 90% of all compromised merchants are PCI level 4 (small) merchants or merchants with less than 1 million transactions per year

Vulnerability Management Policy

Information Security

ADMINISTRATORS SERIES PRIVACY AND SECURITY AT UF. Cheryl Granto Information Security Manager, UFIT Information Security

Other terms are defined in the Providence Privacy and Security Glossary

Solutions Brief. PC Encryption Regulatory Compliance. Meeting Statutes for Personal Information Privacy. Gerald Hopkins Cam Roberson

Secure Data Destruction

Management and Storage of Sensitive Information UH Information Security Team (InfoSec)

Congregation Identity Theft Education Program

IT Asset disposition services

Data Security Standard (DSS) Compliance. SIFMA June 13, 2012

Covered Areas: Those EVMS departments that have activities with Covered Accounts.

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

CPR: Circumstances, Prevention and Response in Safeguarding Personal Healthcare Information

POLICY ON COMPUTER PROVISIONING

Research Information Security Guideline

TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No MERCHANT DEBIT AND CREDIT CARD RECEIPTS

ALTA OFFICE SECURITY AND PRIVACY GUIDELINES ALTA

SecureD Technical Overview

SAMPLE TEMPLATE. Massachusetts Written Information Security Plan

Waste, Not! Recovering Value from Unused and Surplus IT Assets

County Identity Theft Prevention Program

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

MOBILE DEVICE SECURITY POLICY

secure shredding Services Secure, Compliant, Cost-Effective, Environmentally Responsible Information Destruction Secure Shredding

Section 5 Identify Theft Red Flags and Address Discrepancy Procedures Index

Data Privacy: What your nonprofit needs to know. Donna Balaguer and Ed Lavergne Washington, D.C. February 5, 2015

A LIST OF PRIVACY AND DATA SECURITY TRAINING REQUIREMENTS

Cyber, Security and Privacy Questionnaire

IT Security & Compliance Risk Assessment Capabilities

Information Security

CD ROM, Inc Commercial Catalog. Destruction and Recycling Services

Data breach, cyber and privacy risks. Brian Wright Lloyd Wright Consultants Ltd

THE BEST PRACTICES FOR DATA SECURITY AND PRIVACY IN VENDOR/ CLIENT RELATIONSHIPS

Value Recovery. arrow.com

Privacy Data Loss. Privacy Data Loss. Identity Theft. The Legal Issues

We are the solution. erecycling. We have the solution. made easy.

Appendix 1 Payment Card Industry Data Security Standards Program

PCI Data Security Standards (DSS)

Massachusetts Residents

plantemoran.com What School Personnel Administrators Need to know

Identity Theft Security and Compliance: Issues for Business

IRONSHORE SPECIALTY INSURANCE COMPANY 75 Federal St. Boston, MA Toll Free: (877) IRON411

JUST JUST WON T CUT IT. hen your PERSONAL SHREDDER. ShredStation Express. Thank You WON T CUT IT. when your JUST PERSONAL SHREDDER WON T CUT IT

State of South Carolina Policy Guidance and Training

Fujitsu Asset Lifecycle Management Services

TOURO UNIVERSITY WORLDWIDE AND TOURO COLLEGE LOS ANGELES IDENTITY THEFT PREVENTION POLICY 1.0 POLICY/PROCEDURE 2.0 PURPOSE 3.0 SCOPE 4.

Keep Your Data Secure: Fighting Back With Flash

PCI Training for Retail Jamboree Staff Volunteers. Securing Cardholder Data

TNHFMA 2011 Fall Institute October 12, 2011 TAKING OUR CUSTOMERS BUSINESS FORWARD. The Cost of Payment Card Data Theft and Your Business

Transcription:

Protecting MIT Data T. McGovern, M. Yeaton, M. Halsall, S. Burke, B. DiMattia State Laws & Regulations General Laws, Chapter 93H: Massachusetts Data Breach Law, outlines when to notify (2007) 201 CMR 17.00: Regulations for Massachusetts Data Breach Law (2010)

Federal Laws FERPA - Family Educational Rights & Privacy Act PCI-DSS - Payment Card Industry Data Security Standards HIPAA - Health Insurance Portability & Accountability Act GLBA - Gramm Leach Bliley Act MIT Policies MIT Policy 11.0 on Privacy & Disclosure of Information MIT Policy 13.2 on Use of Information Technology FACTA Red Flag Rules - MIT Identity Theft Prevention Program

PIRN PIRN = Personal Information Requiring Notification Social Security Numbers Driver s Licenses Health Records (PCI) Credit Card & Bank Account Numbers WISP WISP = Written Information Security Program Applies to any area where PIRN is reviewed, manipulated, deleted or stored Outlines roles for Business Process Owners and System Owners defining how to protect data in their stewardship web.mit.edu/infoprotect/wisp

Where MIT has PIRN Human Resources (Benefits, SAP, Data Warehouse, etc) Student Services (Admissions, SFS, Registrar, etc) Financial (Payroll, Accounts Payable, Procurement, etc) Medical (MIT Medical, Benefits) Where MIT has PIRN (cont.) IT (Enterprise Systems, Departmental Databases, etc) MIT Merchants accepting credit cards DLC Administration Academic & Research Areas

Finding the Data If you don t know where it is, you can t protect it. Search Data Tool Identity Finder - runs and reports back any sensitive data it finds, and lets user take appropriate action

Identity Finder Seeks: passwords, social security numbers, credit card numbers, bank account numbers Actions: redact, shred, encrypt

Protecting PIRN in DUE/DSL Our Collective Responsibility

Methods employed to protect data General Computer Policies OS/Security updates and patches applied Virus Protection/Firewalls turned on Required Login Eraser (PC); Secure Empty Trash (Mac) Laptop Policies/Requirements STOP! security tags Security cables Behavioral Change: Consistent use of security cables PGP Whole Disk Encryption Behavioral Change: No traveling in sleep mode Using Identity Finder in DUE/DSL Staff are required to run Identity Finder at least once a month (more often as determined by the dept. head). Staff must eliminate or secure sensitive data. Staff may not choose ignore for any occurrences of sensitive data. An action to remove or secure is required. To retain PIRN staff may need authorization from their dept. head or manager.

DUE/DSL Staff Guidelines Any suspicion of a virus infection must be reported immediately - no waiting. Stop using the computer. Disconnect the ethernet cable or disable wireless (Stop the network traffic.) Leave the computer on so IT staff can view the behavior. 19 Locking Down the Data If you can t protect it, don t collect it.

Encryption PGP Desktop Whole Disk Encryption - protects hard disk when computer is turned off PGP Desktop Installation Misconceptions / caveats Support

Minimizing the Data You can t lose what you don t have. Redaction Removing the sensitive bits from Excel, Word, FileMaker, PDF files When the data is not necessary to run tasks

Secure Delete Macs have secure deletion built in: secure empty trash or Disk Utility PCs can use third-party software: PGP Shred, Eraser, DBAN, etc Services for IT asset disposal IT Asset Disposition

PRODUCT PROCUREMENT REVERSE SUPPLY CHAIN SOLUTIONS IT ASSET DISPOSITION IT Asset Disposition Massachusetts Institute of Technology Agenda Who is Converge Protecting the MIT Brand and MIT s Data Converge - Asset Manager Remarketing and revenue generation Ease of doing business 28

Converge Global Headquarters 4 Technology Drive Peabody, Massachusetts United States 29 Arrow Electronics & Converge Founded in 1935, incorporated in 1946, public in 1961 New York Stock Exchange: ARW 2009 Sales: 14.7 billion Fortune 500 ranking of 151 Worldwide presence: in 51 countries and over 350 locations Over 11,300 employees Worldwide customers 125,000 Corporate Headquarters: Melville, New York 30

Converge ITAD Objectives ITAD Objectives For Our Clients: 1) Mitigate Data Security Risks 2) Ensure Environmental Compliance 3) Optimizing the disposition of end-of-life technology - Maximize value - Minimize costs Converge s goal is to protect Clients brand names from costly fines, penalties and/or litigation due to a data security breach or environmental non-compliance. 31 Converge IT Asset Disposition (ITAD) Full suite of secure, compliant end-of-life IT asset disposition services Global coverage Secure transportation Data security: erasure & destruction Environmental compliance / recycling Remarketing of systems and components Redeployment / donations Lease return services Reporting Exclusive Web-based Asset Manager system allows client to securely manage their ITAD program in real time - from pickup to final disposition 32

Strict Recycling Policy Utilize only EPA-recognized e-waste disposal methods and provide certification that all materials have been processed in an environmentally compliant manner following our electronic waste recycling policy: Zero landfill Zero incineration Zero waste exported Reuse of all reclaimed base materials Certificates of recycling are issued to demonstrate that assets have been properly disposed of and recycled. 33 Certifications ISO9001 ISO14001 OHSAS18001 Health & Safety ANSI/ESD S20.20 Electronics Discharge Certified Customs-Trade Partnership Against Terrorism International Association of IT Asset Managers Member Microsoft Registered Refurbisher Certifications In Process National Association of Information Destruction Responsible Recycling IDC G.R.A.D.E. Green Recycling and Asset Disposal for the Enterprise 34

Comprehensive ITAD Services Logistics: Scheduling Onsite preparation, packing, and palletizing Secure transportation Ensure import/export compliance Processing: Asset registration and sanitization Data erasure / hard drive shredding Testing 35 Disposition Methods Utilized: Asset remarketing Donation services Re-deployment services Complaint recycling (zero landfill,zero e-waste export) Lease return services Asset Manager Tracking System Secure, web-based scheduling, tracking, and reporting Real-time chain-of-custody tracking Easy to use search tools Asset level reporting Compliance documents Certificate of Recycling Certificate of Destruction Certificate of Erasure Certificate of Donation Over 50 standard reports Customized reporting available Global view 24x7x365 36

Questions? 37 Thanks for your time today! Please call me with any questions or to schedule a Converge Asset Manager Demonstration Bob DiMattia Robert.dimattia@converge.com 978-538-8062 work 978-490-4179 cell 38

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information