ITAG Lunchtime Seminar: Sensitive Data and Local Databases

Download Report

Transcript ITAG Lunchtime Seminar: Sensitive Data and Local Databases 

ITAG Lunchtime Seminar
Filemaker
Best Practices and Service
Offerings
Scott Thorne, IS&T ISDA
“Sensitive Data and Local Databases”
MacKenzie Smith, Libraries
“MIT Libraries Policy on the Use of Filemaker for
Applications”
Jeff Reed, Cecilia Marra, IS&T DCAD
“Filemaker Service Offerings”
ITAG Lunchtime Seminar Series
February 7, 2007
http://web.mit.edu/itag
Sensitive Data and
Local Databases
Feb 7th 2007
Scott Thorne
Background

There is growing need to build small
systems to meet departmental business
needs

There is a growing problem of data spills


TJX etc
Creates potential risk for the Institute
Response

Promote Awareness

Provide Recommendations


Technical

Business
Provide Resources
Use local database technology such as
Filemaker for -
Local Applications only

That meet the following criteria:

Relatively small & simple

50 users

20 tables or files

100 fields

No Sensitive Data

Use the recommended version and configuration

Manage data not needed by other systems

Warehouse
Sensitive Data

More work required to classify data and gain consensus on
procedures

Extremely Sensitive


Disclosure causes harm

Financial or otherwise

Organizations or Individuals

Example: SSN
Collected with the promise of confidential treatment


Sensitive

Choose to keep confidential, but does not cause harm


Example: Faculty Survey Information
Example: Salaries
http://istwiki.mit.edu/istwiki/ItagSensitiveData or more recently
https://confab.mit.edu/confluence/display/ITAG/ItagSensitiveData
Implementation

Use FileMaker Server instead of peer-to-peer

Use Strong Passwords

Require a password for FileMaker Server

Turn on SSL

Hide Files from network scanning (port 5003)

Implement a backup and recovery procedure

Physically secure the server and backup media
Data Common Sense

Don't store data unless you know why

Don't collect data that is already collected at MIT

Don't collect data until it's needed

Don't store data unless there is a plan to maintain it

Decide data retention policies before collecting data

Review data models before building a system

Document the data definition and sensitivity before
collection

Only update data in its System of Record
More Resources

http://web.mit.edu/itag/policies/sensitive-data.pdf

http://web.mit.edu/itag/guidelines/data.html

http://web.mit.edu/ist/help/filemaker/fmug/Top10.pdf