Protecting Sensitive Information is Everyone's Responsibility
Improper disclosures of sensitive data can cause harm and embarrassment to students, faculty, and staff, and immeasurable damage to the image and reputation of the Institute. It is in everyone's interest to ensure that the Institute's sensitive data is appropriately protected. It is also everyone's responsibility to safeguard such data. Some examples of sensitive data are:

• Social Security numbers (SSN)
• Credit card numbers
• Drivers license numbers
• Personally identifiable patient information
• Personally identifiable student information
• Personally identifiable employee information
• Proprietary research data
• Confidential legal data
• Confidential financial data
• Other proprietary data that should not be shared with the public

Who is Handling Sensitive Information?
Every day at MIT, thousands of people handle administrative data of all kinds -- personnel and payroll data, student data, medical records and on and on. While many understand fully the sensitivity of the information they handle, they have not always had the procedures and tools needed to safeguard these data.  Others simply do not understand the need to take precautions against accidental disclosure of sensitive data.

Risks of Disclosure
One of the biggest and well-acknowledged problems is the amount of sensitive administrative data that gets sent around campus and between MIT and its business partners in electronic mail attachments, in many cases without the kinds of protection that is possible with today's technologies. Worse still, much of this data ends up residing on individual laptop and desktop computers for long periods of time in plain sight of anyone with access to that computer.

Raising Awareness
The need to protect sensitive data, for example the Social Security Number (SSN), is an issue that cuts across all aspects of MIT’s interests and activities. Nowhere is it more important, however, than to the Information Services and Technologies (IS&T) Department where many of those computing and networking resources involved in storing and sending sensitive data reside. The management and protection of sensitive data requires awareness by all who work with this type of data.

Putting Protections in Place
Except in the case of certain statutory mandates (HIPAA, FERPA, and Gramm Leach Bliley) and Massachusetts state laws, the Institute does not have information security procedures in place. As a result, data access is not consistently managed based on the level of sensitivity accorded different types of information. Defining levels of sensitive data and how each level should be handled is the first step in establishing clear guidelines that would include the authority for mandating appropriate protections, and clear escalation paths for questions on how departments can manage their sensitive data.

IS&T’s data security program consists of a two-prong effort aimed at raising awareness of data security issues and developing an outreach program that will assist the MIT community in protecting their sensitive and confidential data. Institute-wide initiatives have been established as well. If you have any ideas, suggestions, concerns, or questions about this effort, contact us by email at infoprotect AT mit.edu.