Tasks for Medium Risk Data
Now that you know your risk level, it's time to implement appropriate tasks to protect your data. Work with your departmental IT support resource or IS&T to undertake reasonable steps to complete these tasks. If implementing a particular task prevents you from completing your work, contactĀ security@mit.eduāit may be acceptable to mitigate the risk using other methods. Some of the tasks might not be applicable to your situation. You may filter the list to show tasks applicable to your role ā User, Data Owner, or System Administrator. If you are handling regulated information or have signed a data use agreement there may be some tasks that are absolutely required.
Your current IT support may already have many of these tasks implemented as part of their service. You can also contact the Service Desk for assistance with securing information.
| Task | Applies to | Service or Tool | |
|---|---|---|---|
| Information is accessible only for authorized purposes and shared only with those authorized to receive it. |
Application
, Software running on a server that is remotely accessible, including mobile applications.
Endpoint
, A computer device such as a desktop workstation, mobile phone, tablet, or laptop.
Media
, Any portable data storage method such as paper hard copies, external USB hard drives, CDs/DVDs, etc.
Server
A host that provides a network accessible service. |
Encryption, Touchstone Authentication | Learn how |
| Review which user accounts have access to information at this level regularly - at least annually. |
Application
, Software running on a server that is remotely accessible, including mobile applications.
Endpoint
, A computer device such as a desktop workstation, mobile phone, tablet, or laptop.
Media
, Any portable data storage method such as paper hard copies, external USB hard drives, CDs/DVDs, etc.
Server
A host that provides a network accessible service. |
Learn how | |
| Revoke permissions when a user no longer needs access to information (e.g., upon project completion or job change). |
Application
, Software running on a server that is remotely accessible, including mobile applications.
Endpoint
, A computer device such as a desktop workstation, mobile phone, tablet, or laptop.
Media
, Any portable data storage method such as paper hard copies, external USB hard drives, CDs/DVDs, etc.
Server
A host that provides a network accessible service. |
Learn how | |
| Use separate accounts for user and administrative permissions. |
Application
, Software running on a server that is remotely accessible, including mobile applications.
Endpoint
, A computer device such as a desktop workstation, mobile phone, tablet, or laptop.
Server
A host that provides a network accessible service. |
Learn how | |
| Enable your operating system's firewall. |
Endpoint
, A computer device such as a desktop workstation, mobile phone, tablet, or laptop.
Server
A host that provides a network accessible service. |
Learn how | |
| Enable a screen lock that requires a password to unlock after 15 minutes of inactivity. |
Endpoint
A computer device such as a desktop workstation, mobile phone, tablet, or laptop. |
Learn how |
| Task | Applies to | Service or Tool | |
|---|---|---|---|
| Create and maintain an information inventory that includes classification level, information owner, and users with access. |
Application
, Software running on a server that is remotely accessible, including mobile applications.
Endpoint
, A computer device such as a desktop workstation, mobile phone, tablet, or laptop.
Media
, Any portable data storage method such as paper hard copies, external USB hard drives, CDs/DVDs, etc.
Server
A host that provides a network accessible service. |
Learn how |
| Task | Applies to | Service or Tool | |
|---|---|---|---|
| Use vendor supported applications and operating systems. |
Application
, Software running on a server that is remotely accessible, including mobile applications.
Endpoint
, A computer device such as a desktop workstation, mobile phone, tablet, or laptop.
Server
A host that provides a network accessible service. |
Software Patches and OS Updates | Learn how |
| Configure automatic download and application of software and operating system updates. |
Application
, Software running on a server that is remotely accessible, including mobile applications.
Endpoint
, A computer device such as a desktop workstation, mobile phone, tablet, or laptop.
Server
A host that provides a network accessible service. |
Software Patches and OS Updates | Learn how |
| Stay informed of available patches for your operating system and applications. |
Application
, Software running on a server that is remotely accessible, including mobile applications.
Endpoint
, A computer device such as a desktop workstation, mobile phone, tablet, or laptop.
Server
A host that provides a network accessible service. |
Software Patches and OS Updates | Learn how |
| Where applicable, use endpoint management tools to ensure the tasks for this level are completed on your devices. |
Endpoint
A computer device such as a desktop workstation, mobile phone, tablet, or laptop. |
Mac Device Management, Windows Device Management | Learn how |
| Perform regular network vulnerability scans. Contact your departmental IT administrator or security@mit.edu for assistance. |
Application
, Software running on a server that is remotely accessible, including mobile applications.
Server
A host that provides a network accessible service. |
Learn how | |
| Ensure authentication and access logs are sent to a second device. |
Application
, Software running on a server that is remotely accessible, including mobile applications.
Server
A host that provides a network accessible service. |
Learn how |
| Task | Applies to | Service or Tool | |
|---|---|---|---|
| Anonymize information whenever possible and separate access to identified and de-identified data sets. For physical media store identified information in a separate locked file cabinet. |
Application
, Software running on a server that is remotely accessible, including mobile applications.
Endpoint
, A computer device such as a desktop workstation, mobile phone, tablet, or laptop.
Media
, Any portable data storage method such as paper hard copies, external USB hard drives, CDs/DVDs, etc.
Server
A host that provides a network accessible service. |
Learn how | |
| Observe applicable data retention policies upon project completion. Securely delete the information if possible. If you must retain a copy of information at this level, ensure that it remains secure. |
Application
, Software running on a server that is remotely accessible, including mobile applications.
Endpoint
, A computer device such as a desktop workstation, mobile phone, tablet, or laptop.
Media
, Any portable data storage method such as paper hard copies, external USB hard drives, CDs/DVDs, etc.
Server
A host that provides a network accessible service. |
Learn how | |
| Destroy devices and media that are no longer needed in a way such that no information can be recovered. |
Endpoint
, A computer device such as a desktop workstation, mobile phone, tablet, or laptop.
Media
, Any portable data storage method such as paper hard copies, external USB hard drives, CDs/DVDs, etc.
Server
A host that provides a network accessible service. |
Learn how |
| Task | Applies to | Service or Tool | |
|---|---|---|---|
| Promptly report actual or suspected compromise, including loss, theft, improper use, modification of, or access to information to security@mit.edu. |
Application
, Software running on a server that is remotely accessible, including mobile applications.
Endpoint
, A computer device such as a desktop workstation, mobile phone, tablet, or laptop.
Media
, Any portable data storage method such as paper hard copies, external USB hard drives, CDs/DVDs, etc.
Server
A host that provides a network accessible service. |
Learn how | |
| Review your systems and procedures regularly to ensure the tasks for this risk level are applied. |
Application
, Software running on a server that is remotely accessible, including mobile applications.
Endpoint
, A computer device such as a desktop workstation, mobile phone, tablet, or laptop.
Media
, Any portable data storage method such as paper hard copies, external USB hard drives, CDs/DVDs, etc.
Server
A host that provides a network accessible service. |
Learn how | |
| If you are developing (or contracting a vendor to develop) applications processing this level of information, include security as a design requirement. |
Application
Software running on a server that is remotely accessible, including mobile applications. |
Learn how | |
| If you are developing (or contracting a vendor to develop) applications processing this level of information, review code and correct flaws prior to deployment. |
Application
Software running on a server that is remotely accessible, including mobile applications. |
Learn how |
| Task | Applies to | Service or Tool | |
|---|---|---|---|
| Create a unique, non-privileged, account for each user. Assign a different password for user and administrative accounts. |
Application
, Software running on a server that is remotely accessible, including mobile applications.
Endpoint
, A computer device such as a desktop workstation, mobile phone, tablet, or laptop.
Server
A host that provides a network accessible service. |
Learn how | |
| Use strong passwords. Change authentication keys e.g., password, certificate, regularly - at least annually. |
Endpoint
, A computer device such as a desktop workstation, mobile phone, tablet, or laptop.
Server
, A host that provides a network accessible service.
Application
Software running on a server that is remotely accessible, including mobile applications. |
LastPass Enterprise, Passwords | Learn how |
| Do not reuse passwords for multiple services. Do not use your Kerberos password for non-Kerberos enabled systems. |
Application
, Software running on a server that is remotely accessible, including mobile applications.
Endpoint
, A computer device such as a desktop workstation, mobile phone, tablet, or laptop.
Server
A host that provides a network accessible service. |
LastPass Enterprise, Passwords | Learn how |
| Change passwords immediately if a compromise is suspected. |
Application
, Software running on a server that is remotely accessible, including mobile applications.
Endpoint
, A computer device such as a desktop workstation, mobile phone, tablet, or laptop.
Server
A host that provides a network accessible service. |
Passwords | Learn how |
| Enable password protection at startup. |
Endpoint
A computer device such as a desktop workstation, mobile phone, tablet, or laptop. |
Learn how | |
| Store and transmit only encrypted passwords. |
Application
, Software running on a server that is remotely accessible, including mobile applications.
Server
, A host that provides a network accessible service.
Media
, Any portable data storage method such as paper hard copies, external USB hard drives, CDs/DVDs, etc.
Endpoint
A computer device such as a desktop workstation, mobile phone, tablet, or laptop. |
Encryption, Passwords | Learn how |
| Change default or vendor-supplied passwords and remove default accounts. |
Endpoint
, A computer device such as a desktop workstation, mobile phone, tablet, or laptop.
Server
, A host that provides a network accessible service.
Application
Software running on a server that is remotely accessible, including mobile applications. |
Passwords | Learn how |
| Utilize multi-factor authentication for remote access. |
Endpoint
A computer device such as a desktop workstation, mobile phone, tablet, or laptop. |
Duo Security | Learn how |
| Utilize multi-factor authentication for remote interactive user and administrator logins |
Application
, Software running on a server that is remotely accessible, including mobile applications.
Server
A host that provides a network accessible service. |
Duo Security | Learn how |
| Task | Applies to | Service or Tool | |
|---|---|---|---|
| Lock hard copy information records in a file cabinet within a locked office. |
Media
Any portable data storage method such as paper hard copies, external USB hard drives, CDs/DVDs, etc. |
Learn how | |
| Restrict physical access to any storage facility that contains physical media with this level of information. Only authorized individuals may have access either through a physical or electronic key. |
Media
Any portable data storage method such as paper hard copies, external USB hard drives, CDs/DVDs, etc. |
Learn how | |
| Place system hardware in a data center. |
Server
A host that provides a network accessible service. |
Server Co-location | Learn how |
| Fax records to a non-public fax machine only if arrangements have been made so that the intended recipient will take the copies off the machine immediately upon receipt. |
Media
Any portable data storage method such as paper hard copies, external USB hard drives, CDs/DVDs, etc. |
Learn how | |
| Plan ahead to keep paper research data and forms (e.g., field notes, observations, interviews, informed consents) secure while traveling abroad. |
Media
Any portable data storage method such as paper hard copies, external USB hard drives, CDs/DVDs, etc. |
Learn how | |
| Remove information on copiers, fax machines, or other shared devices promptly. |
Media
Any portable data storage method such as paper hard copies, external USB hard drives, CDs/DVDs, etc. |
Learn how | |
| Use appropriately secure means when transferring physical media containing information. Track transfers to confirm that they reached the intended recipient. |
Media
Any portable data storage method such as paper hard copies, external USB hard drives, CDs/DVDs, etc. |
Learn how |
| Task | Applies to | Service or Tool | |
|---|---|---|---|
| Install malware protection applications, if available for the platform. |
Endpoint
, A computer device such as a desktop workstation, mobile phone, tablet, or laptop.
Server
A host that provides a network accessible service. |
CrowdStrike, Sophos Anti-Virus, Virus Detection and Prevention | Learn how |
| Set up and perform regular backups. |
Application
, Software running on a server that is remotely accessible, including mobile applications.
Endpoint
, A computer device such as a desktop workstation, mobile phone, tablet, or laptop.
Server
A host that provides a network accessible service. |
CrashPlan, TSMĀ (Tivoli Storage Manager) | Learn how |
| Backup solution encrypts information in transit and at rest. |
Application
, Software running on a server that is remotely accessible, including mobile applications.
Endpoint
, A computer device such as a desktop workstation, mobile phone, tablet, or laptop.
Server
A host that provides a network accessible service. |
CrashPlan, TSM (Tivoli Storage Manager), Backup, Encryption | Learn how |
| Enable whole disk encryption on portable devices. |
Endpoint
A computer device such as a desktop workstation, mobile phone, tablet, or laptop. |
BitLocker (Windows), FileVault (Mac) | Learn how |
| Information at this level is transmitted over an encrypted connection. |
Application
, Software running on a server that is remotely accessible, including mobile applications.
Endpoint
, A computer device such as a desktop workstation, mobile phone, tablet, or laptop.
Server
A host that provides a network accessible service. |
Learn how |
