This Written Information Security Program (also referred to as WISP) has been adopted in accordance with chapter 93H of the Massachusetts General Laws and corresponding regulations setting forth Standards for the Protection of Personal Information of Residents of the Commonwealth (201 CMR §17) (.pdf). These regulations apply to certain types of personal information that are commonly encountered in MIT business processes.
The Massachusetts regulations identify personal information that if exposed may put the identified individuals at risk of identity theft. The regulations require the affected individuals be notified when this information is exposed as a result of unauthorized use or a security breach. In this document we refer to this information as “Personal Information Requiring Notification” or PIRN.
This Program applies to any area of MIT where PIRN, whether maintained in paper hard copy, electronically or in any other media, is collected, edited, manipulated, reviewed, reported, disposed of or stored.
Some departments and laboratories have the responsibility to develop policies and procedures that pertain to special circumstances. For example, access to government-classified material at Lincoln Laboratory requires establishing specific procedures. In such cases, this Program is considered the minimally acceptable level of protection and control.
It is the responsibility of all members of the MIT community to be aware when they are handling PIRN and to understand and follow the processes defined in or referenced from this document.
For business processes and systems with PIRN, it is the responsibility of each Business Process Owner or System Owner to define the specifics of how the information in their stewardship will be protected, and to ensure anyone using the process or system is familiar with the protection protocol.
MIT's general approach to protecting PIRN is based on three pillars:
- Minimizing the collection and storage of PIRN as well as limiting access on a “need to know” basis.
- Minimizing the collection and storage of PIRN will reduce the chance of its compromise by both limiting the number of staff members who have to handle this information, and reducing the likelihood of a mistaken disclosure. It will also reduce the risk of a technological compromise of electronic PIRN, either via “hacking,” mistaken processing of data or loss of media containing such information.
- Minimizing the collection and storage of PIRN will reduce the chance of its compromise by both limiting the number of staff members who have to handle this information, and reducing the likelihood of a mistaken disclosure. It will also reduce the risk of a technological compromise of electronic PIRN, either via “hacking,” mistaken processing of data or loss of media containing such information.
- Increasing staff awareness of data management along with providing appropriate education on how to protect PIRN.
- Educating and making staff aware of how to handle PIRN will help better protect it from disclosure or compromise.
- Educating and making staff aware of how to handle PIRN will help better protect it from disclosure or compromise.
- Utilizing industry best practices in the management of the technology surrounding the processing and storage of PIRN.
- MIT makes use of and will continue to improve upon technology best practices to protect personal information, both “at rest” (while on storage media) and “in transit” (while being processed or communicated among both computer systems and people.)