|
|
|
|
 |
 |
 |
 |
 |
 |
1.1 Storing High-Risk Confidential Information
Policy
No member of the Harvard community and no vendor to Harvard is permitted to store High-Risk Confidential Information (other than their own) in any way relating to Harvard or Harvard sponsored activities locally on any individual user computer or on a portable storage device. Servers storing high-risk confidential information must be protected as Target Computers.
Non-electronic records containing high-risk confidential information must kept in secure locked containers except when in use.
People or groups at Harvard who wish to collect or work with High-Risk Confidential Information or to contract with a vendor to collect or work with such information must obtain prior approval from the School and/or University CIO.
Discussion
These information elements are designated as high-risk since they can be used for the purpose of identity theft. This information, if maliciously obtained and misused, carries a high risk of causing personal, financial, and reputational damage to its owner. Improper access to, or release of, any of this information may be subject to reporting requirements under Massachusetts law. (See Section 9.2: Reporting Security Breaches.) Such information is subject to requirements for proper destruction under Massachusetts law. (See Section 9.1: Disposition and Destruction of Records.)
The policy concerning the storage of high-risk confidential information in electronic form applies whether the computer is owned by Harvard or not, whether the data is encrypted or not, and whether the computer is a portable or a desktop. This policy applies as well to Harvard vendors and contractors. Contracts for services where the contractor will store or process such information on behalf of Harvard must include a contract rider that includes this restriction. (See Section 6.1: Contracts.) Systems that store credit or debit card information must conform to Section 4.1: Accepting Payment Cards.
Paper or other non-electronic records containing high-risk confidential must be kept in locked file cabinets or other locked container (e.g., a safe) except when in use. Unless the locked containers are in a limited access physically secure environment they should be kept locked except when a particular item is being removed or replaced. People or organizations at Harvard who wish to work with high-risk confidential information or to provide such information to a vendor must obtain permission to do so from the School or University CIO before undertaking any such activity. This includes cases where the data is obtained from sources within the University, from non-university sources, or from the individuals themselves. See the High Risk Information Request Process for more information.
Systems that store high-risk confidential information must also conform to the best practices listed for target computers. (See Section 7.3: Target Computers.)
