Data Security

Data Security at CSAIL

MIT has Data Security information available on line at http://infoprotect.mit.edu/ and policy information at http://infoprotect.mit.edu/wisp

This page is meant to help CSAIL lab members determine how sensitive their data is and how to properly store and handle data of different security levels, particularly for Medium Risk.

Excerpt from Information Protection @ MIT

Higher education institutions have a reputation for employing less stringent data security protocols which increases the potential of accidental data loss and exposure. The breadth and volume of personal data collected by universities, coupled with high turnover and a technically un-savvy population in general, makes the problem of data loss at institutions nearly epidemic in nature.

Some information that is considered sensitive data requires special care and handling. Inappropriate handling of the data could result in penalties, identity theft, financial loss, invasion of privacy, or unauthorized access by an individual or many individuals. The data could also be subject to regulation by state or federal laws and require notification in the event of a disclosure.

Security Levels

The Institute’s Written Information Security Program (WISP) defines three level of risk - Low, Medium, and High:

Low

This information is meant to be freely available to both members of the MIT community as well as the general public without access controls. Publicly available information may still be subject to University review or disclosure procedures to mitigate potential risks of inappropriate disclosure.

Examples include:

Low risk data may be stored on AFS, NFS, or Local system disk using standard access controls to limit the set of authenticated users who have access to the data as appropriate.

Low risk data is appropriate to be backed up according to lab backup policies.

Low data is public requiring no special treatment.

Medium

Information not intended to be freely available to the general public, or to the MIT community, without access controls.

The loss of confidentiality, integrity, or availability of these information assets could reasonably be expected to result in legal liability, reputational damage, or potential for other types of harm.

Examples include:

Medium Risk data is not appropriate for general storage on AFS, NFS, or typical workstation or server local disks, nor is it appropriate for backup with our standard tools.

TIG is able to provide a secured data environment for this level. This requires dedicated hardware purchasing and planning.

High

This information is subject to legal or regulatory requirements necessitating its proper safeguarding and handling, including possible notification in the event of a breach.

The loss of confidentiality, integrity, or availability of these information assets could reasonably be expected to result in serious harm to individuals or the Institute.

High Risk data should never be stored on CSAIL research systems as we do not have security staffing to provide appropriate audit and training.

Examples include:

Regulated Administrative or Academic Information

Regulated Research or Human Subject Information

ITAR (International Traffic in Arms Regulations) and the EAR (Export Administration Regulations)