Tasks for High Risk Data
Now that you know your risk level, it's time to implement appropriate tasks to protect your data. Work with your departmental IT support resource or IS&T to undertake reasonable steps to complete these tasks. If implementing a particular task prevents you from completing your work, contactĀ security@mit.eduāit may be acceptable to mitigate the risk using other methods. Some of the tasks might not be applicable to your situation. You may filter the list to show tasks applicable to your role ā User, Data Owner, or System Administrator. If you are handling regulated information or have signed a data use agreement there may be some tasks that are absolutely required.
Your current IT support may already have many of these tasks implemented as part of their service. You can also contact the Service Desk for assistance with securing information.
| Task | Applies to | Service or Tool | |
|---|---|---|---|
| Information is accessible only for authorized purposes and shared only with those authorized to receive it. |
Application
, Software running on a server that is remotely accessible, including mobile applications.
Endpoint
, A computer device such as a desktop workstation, mobile phone, tablet, or laptop.
Media
, Any portable data storage method such as paper hard copies, external USB hard drives, CDs/DVDs, etc.
Server
A host that provides a network accessible service. |
Encryption, Touchstone Authentication | Learn how |
| Review which user accounts have access to information at this level regularly - at least annually. |
Application
, Software running on a server that is remotely accessible, including mobile applications.
Endpoint
, A computer device such as a desktop workstation, mobile phone, tablet, or laptop.
Media
, Any portable data storage method such as paper hard copies, external USB hard drives, CDs/DVDs, etc.
Server
A host that provides a network accessible service. |
Learn how | |
| Revoke permissions when a user no longer needs access to information (e.g., upon project completion or job change). |
Application
, Software running on a server that is remotely accessible, including mobile applications.
Endpoint
, A computer device such as a desktop workstation, mobile phone, tablet, or laptop.
Media
, Any portable data storage method such as paper hard copies, external USB hard drives, CDs/DVDs, etc.
Server
A host that provides a network accessible service. |
Learn how | |
| Use separate accounts for user and administrative permissions. |
Application
, Software running on a server that is remotely accessible, including mobile applications.
Endpoint
, A computer device such as a desktop workstation, mobile phone, tablet, or laptop.
Server
A host that provides a network accessible service. |
Learn how | |
| Enable your operating system's firewall. |
Endpoint
, A computer device such as a desktop workstation, mobile phone, tablet, or laptop.
Server
A host that provides a network accessible service. |
Learn how | |
| Enable a screen lock that requires a password to unlock after 15 minutes of inactivity. |
Endpoint
A computer device such as a desktop workstation, mobile phone, tablet, or laptop. |
Learn how |
| Task | Applies to | Service or Tool | |
|---|---|---|---|
| Create and maintain an information inventory that includes classification level, information owner, and users with access. |
Application
, Software running on a server that is remotely accessible, including mobile applications.
Endpoint
, A computer device such as a desktop workstation, mobile phone, tablet, or laptop.
Media
, Any portable data storage method such as paper hard copies, external USB hard drives, CDs/DVDs, etc.
Server
A host that provides a network accessible service. |
Learn how | |
| Create and maintain an inventory of systems that includes device ownership, contact information, and network configuration. |
Endpoint
, A computer device such as a desktop workstation, mobile phone, tablet, or laptop.
Media
, Any portable data storage method such as paper hard copies, external USB hard drives, CDs/DVDs, etc.
Server
A host that provides a network accessible service. |
Learn how | |
| Create and maintain an application inventory that includes assigned risk classification level, data volume, and users with access. |
Application
Software running on a server that is remotely accessible, including mobile applications. |
Learn how |
| Task | Applies to | Service or Tool | |
|---|---|---|---|
| Train all users with access to ensure understanding of their responsibilities with regard to handling information. |
Endpoint
, A computer device such as a desktop workstation, mobile phone, tablet, or laptop.
Server
, A host that provides a network accessible service.
Media
, Any portable data storage method such as paper hard copies, external USB hard drives, CDs/DVDs, etc.
Application
Software running on a server that is remotely accessible, including mobile applications. |
Learn how | |
| Train all users with access to ensure awareness of the risks to information and data |
Endpoint
, A computer device such as a desktop workstation, mobile phone, tablet, or laptop.
Server
, A host that provides a network accessible service.
Media
, Any portable data storage method such as paper hard copies, external USB hard drives, CDs/DVDs, etc.
Application
Software running on a server that is remotely accessible, including mobile applications. |
Learn how |
| Task | Applies to | Service or Tool | |
|---|---|---|---|
| Use vendor supported applications and operating systems. |
Application
, Software running on a server that is remotely accessible, including mobile applications.
Endpoint
, A computer device such as a desktop workstation, mobile phone, tablet, or laptop.
Server
A host that provides a network accessible service. |
Software Patches and OS Updates | Learn how |
| Configure automatic download and application of software and operating system updates. |
Application
, Software running on a server that is remotely accessible, including mobile applications.
Endpoint
, A computer device such as a desktop workstation, mobile phone, tablet, or laptop.
Server
A host that provides a network accessible service. |
Software Patches and OS Updates | Learn how |
| Stay informed of available patches for your operating system and applications. |
Application
, Software running on a server that is remotely accessible, including mobile applications.
Endpoint
, A computer device such as a desktop workstation, mobile phone, tablet, or laptop.
Server
A host that provides a network accessible service. |
Software Patches and OS Updates | Learn how |
| Where applicable, use endpoint management tools to ensure the tasks for this level are completed on your devices. |
Endpoint
A computer device such as a desktop workstation, mobile phone, tablet, or laptop. |
Mac Device Management, Windows Device Management | Learn how |
| Perform regular network vulnerability scans. Contact your departmental IT administrator or security@mit.edu for assistance. |
Application
, Software running on a server that is remotely accessible, including mobile applications.
Server
A host that provides a network accessible service. |
Learn how | |
| Ensure authentication and access logs are sent to a second device. |
Application
, Software running on a server that is remotely accessible, including mobile applications.
Server
A host that provides a network accessible service. |
Learn how |
| Task | Applies to | Service or Tool | |
|---|---|---|---|
| Limit the storage and collection of data at this risk level to that which is necessary to accomplish the legitimate purpose for which it is collected. |
Application
, Software running on a server that is remotely accessible, including mobile applications.
Endpoint
, A computer device such as a desktop workstation, mobile phone, tablet, or laptop.
Server
, A host that provides a network accessible service.
Media
Any portable data storage method such as paper hard copies, external USB hard drives, CDs/DVDs, etc. |
Learn how | |
| Anonymize information whenever possible and separate access to identified and de-identified data sets. For physical media store identified information in a separate locked file cabinet. |
Application
, Software running on a server that is remotely accessible, including mobile applications.
Endpoint
, A computer device such as a desktop workstation, mobile phone, tablet, or laptop.
Media
, Any portable data storage method such as paper hard copies, external USB hard drives, CDs/DVDs, etc.
Server
A host that provides a network accessible service. |
Learn how | |
| Observe applicable data retention policies upon project completion. Securely delete the information if possible. If you must retain a copy of information at this level, ensure that it remains secure. |
Application
, Software running on a server that is remotely accessible, including mobile applications.
Endpoint
, A computer device such as a desktop workstation, mobile phone, tablet, or laptop.
Media
, Any portable data storage method such as paper hard copies, external USB hard drives, CDs/DVDs, etc.
Server
A host that provides a network accessible service. |
Learn how | |
| Destroy devices and media that are no longer needed in a way such that no information can be recovered. |
Endpoint
, A computer device such as a desktop workstation, mobile phone, tablet, or laptop.
Media
, Any portable data storage method such as paper hard copies, external USB hard drives, CDs/DVDs, etc.
Server
A host that provides a network accessible service. |
Learn how | |
| Securely delete information when it is no longer required by means that make it impossible to reconstruct the records. |
Application
, Software running on a server that is remotely accessible, including mobile applications.
Endpoint
, A computer device such as a desktop workstation, mobile phone, tablet, or laptop.
Media
, Any portable data storage method such as paper hard copies, external USB hard drives, CDs/DVDs, etc.
Server
A host that provides a network accessible service. |
Learn how |
| Task | Applies to | Service or Tool | |
|---|---|---|---|
| Promptly report actual or suspected compromise, including loss, theft, improper use, modification of, or access to information to security@mit.edu. |
Application
, Software running on a server that is remotely accessible, including mobile applications.
Endpoint
, A computer device such as a desktop workstation, mobile phone, tablet, or laptop.
Media
, Any portable data storage method such as paper hard copies, external USB hard drives, CDs/DVDs, etc.
Server
A host that provides a network accessible service. |
Learn how | |
| Review your systems and procedures regularly to ensure the tasks for this risk level are applied. |
Application
, Software running on a server that is remotely accessible, including mobile applications.
Endpoint
, A computer device such as a desktop workstation, mobile phone, tablet, or laptop.
Media
, Any portable data storage method such as paper hard copies, external USB hard drives, CDs/DVDs, etc.
Server
A host that provides a network accessible service. |
Learn how | |
| Contact security@mit.edu for an annual review to verify that all security tasks are working properly. |
Application
, Software running on a server that is remotely accessible, including mobile applications.
Endpoint
, A computer device such as a desktop workstation, mobile phone, tablet, or laptop.
Media
, Any portable data storage method such as paper hard copies, external USB hard drives, CDs/DVDs, etc.
Server
A host that provides a network accessible service. |
Learn how | |
| If you are developing (or contracting a vendor to develop) applications processing this level of information, include security as a design requirement. |
Application
Software running on a server that is remotely accessible, including mobile applications. |
Learn how | |
| If you are developing (or contracting a vendor to develop) applications processing this level of information, review code and correct flaws prior to deployment. |
Application
Software running on a server that is remotely accessible, including mobile applications. |
Learn how | |
| If you have received data as part of a sponsored research project, and your contract includes clauses on data security there may be additional tasks. Please contact infoprotect@mit.edu. |
Endpoint
, A computer device such as a desktop workstation, mobile phone, tablet, or laptop.
Server
, A host that provides a network accessible service.
Application
, Software running on a server that is remotely accessible, including mobile applications.
Media
Any portable data storage method such as paper hard copies, external USB hard drives, CDs/DVDs, etc. |
Learn how | |
| If you are accepting credit card payments, you may need to complete additional tasks. Please contact infoprotect@mit.edu |
Endpoint
, A computer device such as a desktop workstation, mobile phone, tablet, or laptop.
Server
, A host that provides a network accessible service.
Application
, Software running on a server that is remotely accessible, including mobile applications.
Media
Any portable data storage method such as paper hard copies, external USB hard drives, CDs/DVDs, etc. |
Learn how | |
| If you handle Protected Health Information (PHI) or Individually Identifiable Health Information, there may be additional tasks to complete. Please contact infoprotect@mit.edu. |
Endpoint
, A computer device such as a desktop workstation, mobile phone, tablet, or laptop.
Server
, A host that provides a network accessible service.
Application
, Software running on a server that is remotely accessible, including mobile applications.
Media
Any portable data storage method such as paper hard copies, external USB hard drives, CDs/DVDs, etc. |
Learn how |
| Task | Applies to | Service or Tool | |
|---|---|---|---|
| Create a unique, non-privileged, account for each user. Assign a different password for user and administrative accounts. |
Application
, Software running on a server that is remotely accessible, including mobile applications.
Endpoint
, A computer device such as a desktop workstation, mobile phone, tablet, or laptop.
Server
A host that provides a network accessible service. |
Learn how | |
| Use strong passwords. Change authentication keys e.g., password, certificate, regularly - at least annually. |
Endpoint
, A computer device such as a desktop workstation, mobile phone, tablet, or laptop.
Server
, A host that provides a network accessible service.
Application
Software running on a server that is remotely accessible, including mobile applications. |
LastPass Enterprise, Passwords | Learn how |
| Do not reuse passwords for multiple services. Do not use your Kerberos password for non-Kerberos enabled systems. |
Application
, Software running on a server that is remotely accessible, including mobile applications.
Endpoint
, A computer device such as a desktop workstation, mobile phone, tablet, or laptop.
Server
A host that provides a network accessible service. |
LastPass Enterprise, Passwords | Learn how |
| Change passwords immediately if a compromise is suspected. |
Application
, Software running on a server that is remotely accessible, including mobile applications.
Endpoint
, A computer device such as a desktop workstation, mobile phone, tablet, or laptop.
Server
A host that provides a network accessible service. |
Passwords | Learn how |
| Enable password protection at startup. |
Endpoint
A computer device such as a desktop workstation, mobile phone, tablet, or laptop. |
Learn how | |
| Store and transmit only encrypted passwords. |
Application
, Software running on a server that is remotely accessible, including mobile applications.
Server
, A host that provides a network accessible service.
Media
, Any portable data storage method such as paper hard copies, external USB hard drives, CDs/DVDs, etc.
Endpoint
A computer device such as a desktop workstation, mobile phone, tablet, or laptop. |
Encryption, Passwords | Learn how |
| Change default or vendor-supplied passwords and remove default accounts. |
Endpoint
, A computer device such as a desktop workstation, mobile phone, tablet, or laptop.
Server
, A host that provides a network accessible service.
Application
Software running on a server that is remotely accessible, including mobile applications. |
Passwords | Learn how |
| Utilize multi-factor authentication for remote access. |
Endpoint
A computer device such as a desktop workstation, mobile phone, tablet, or laptop. |
Duo Security | Learn how |
| Utilize multi-factor authentication for remote interactive user and administrator logins |
Application
, Software running on a server that is remotely accessible, including mobile applications.
Server
A host that provides a network accessible service. |
Duo Security | Learn how |
| Task | Applies to | Service or Tool | |
|---|---|---|---|
| Limit physical access to organizational systems, equipment, and the respective operating environments to authorized individuals. |
Endpoint
, A computer device such as a desktop workstation, mobile phone, tablet, or laptop.
Media
, Any portable data storage method such as paper hard copies, external USB hard drives, CDs/DVDs, etc.
Server
A host that provides a network accessible service. |
Learn how | |
| Lock hard copy information records in a file cabinet within a locked office. |
Media
Any portable data storage method such as paper hard copies, external USB hard drives, CDs/DVDs, etc. |
Learn how | |
| Restrict physical access to any storage facility that contains physical media with this level of information. Only authorized individuals may have access either through a physical or electronic key. |
Media
Any portable data storage method such as paper hard copies, external USB hard drives, CDs/DVDs, etc. |
Learn how | |
| Place system hardware in a data center. |
Server
A host that provides a network accessible service. |
Server Co-location | Learn how |
| Fax records to a non-public fax machine only if arrangements have been made so that the intended recipient will take the copies off the machine immediately upon receipt. |
Media
Any portable data storage method such as paper hard copies, external USB hard drives, CDs/DVDs, etc. |
Learn how | |
| Plan ahead to keep paper research data and forms (e.g., field notes, observations, interviews, informed consents) secure while traveling abroad. |
Media
Any portable data storage method such as paper hard copies, external USB hard drives, CDs/DVDs, etc. |
Learn how | |
| Remove information on copiers, fax machines, or other shared devices promptly. |
Media
Any portable data storage method such as paper hard copies, external USB hard drives, CDs/DVDs, etc. |
Learn how | |
| Use appropriately secure means when transferring physical media containing information. Track transfers to confirm that they reached the intended recipient. |
Media
Any portable data storage method such as paper hard copies, external USB hard drives, CDs/DVDs, etc. |
Learn how |
| Task | Applies to | Service or Tool | |
|---|---|---|---|
| Install malware protection applications, if available for the platform. |
Endpoint
, A computer device such as a desktop workstation, mobile phone, tablet, or laptop.
Server
A host that provides a network accessible service. |
CrowdStrike, Sophos Anti-Virus, Virus Detection and Prevention | Learn how |
| Set up and perform regular backups. |
Application
, Software running on a server that is remotely accessible, including mobile applications.
Endpoint
, A computer device such as a desktop workstation, mobile phone, tablet, or laptop.
Server
A host that provides a network accessible service. |
CrashPlan, TSMĀ (Tivoli Storage Manager) | Learn how |
| Backup solution encrypts information in transit and at rest. |
Application
, Software running on a server that is remotely accessible, including mobile applications.
Endpoint
, A computer device such as a desktop workstation, mobile phone, tablet, or laptop.
Server
A host that provides a network accessible service. |
CrashPlan, TSM (Tivoli Storage Manager), Backup, Encryption | Learn how |
| Enable whole disk encryption on portable devices. |
Endpoint
A computer device such as a desktop workstation, mobile phone, tablet, or laptop. |
BitLocker (Windows), FileVault (Mac) | Learn how |
| Enable whole disk encryption on portable media. |
Media
Any portable data storage method such as paper hard copies, external USB hard drives, CDs/DVDs, etc. |
Encryption | Learn how |
| Information at this level is transmitted over an encrypted connection. |
Application
, Software running on a server that is remotely accessible, including mobile applications.
Endpoint
, A computer device such as a desktop workstation, mobile phone, tablet, or laptop.
Server
A host that provides a network accessible service. |
Learn how | |
| Use file level encryption when sharing files on platforms like email, Dropbox, Slack. Encryption keys must be shared via another method. |
Endpoint
A computer device such as a desktop workstation, mobile phone, tablet, or laptop. |
Encryption | Learn how |
| Enable the use of remote wipe and geographic location software on portable devices. |
Endpoint
A computer device such as a desktop workstation, mobile phone, tablet, or laptop. |
Learn how | |
| Install data loss prevention software. |
Endpoint
, A computer device such as a desktop workstation, mobile phone, tablet, or laptop.
Server
A host that provides a network accessible service. |
Spirion | Learn how |
