This past spring, Information Services & Technology announced the publication of a campus-wide Written Information Security Program (WISP), which addresses the requirements of the new Massachusetts regulations, 201 CMR 17.00, for safeguarding residents from identity theft and fraud. But there's more MIT can do.
In addition to removing risks to PIRN (personal information requiring notification) by simply not collecting what is not needed, we need to protect the PIRN we keep. To that end, MIT has adopted the state regulation requirement of encryption on laptops and other portable devices that contain this information.
PGP Desktop whole disk encryption
IS&T has begun to provide licenses of PGP Desktop to high-risk areas around the Institute. PGP Desktop — a whole disk encryption software — runs on Windows, Mac and Linux computers. It prevents unauthorized access to a lost or stolen laptop (or USB key or external hard drive) by scrambling the data on the drive, and unlocks the drive only when the correct password is entered at start-up. After installation, the encryption of the hard disk runs in the background and, depending on the size of the hard drive, it is complete after a few hours.
The decision to use PGP Desktop was easy — because it is centrally managed by IS&T, help desk administrators can provide a one-time recovery token that eliminates the risk of a user forgetting the password and not being able to access the computer.
Resources and support
PGP Desktop is available to faculty and staff who handle MIT business data, including the personal data of other individuals. If you have a business need for encryption software, you can contact the PGP Help group for questions or download it from the IS&T website (certificate required). Frequently asked questions can be found in Hermes, the IS&T knowledge base.
More information on data protection and WISP is available on the new Information Protection at MIT website.