Discussion

No high-risk confidential information is permitted on any user computer or user storage device even if the information is encrypted. (See Section 1.1: Storing High-Risk Confidential Information) Other Harvard confidential information can be stored on user computers (laptops or desktops) or user storage devices (including portable disks, flash drives, CDs, and DVDs) if it is properly protected.

An example of proper protection is file or disk encryption using a standardized encryption algorithm that employs keys that are 128 bits long or longer. Passwords for accessing the encrypted information should never be kept on the same computer as the encrypted information.

Users should not depend on the built-in file locking in Microsoft Office because of the numerous applications available that can be used to circumvent the protections.

Loss of a computer or portable device that contains confidential information that is not, by itself, high-risk confidential information may still be subject to the reporting requirements in Massachusetts law even if the information is encrypted if the decryption key was also compromised.(See Section 9.2: Reporting Security Breaches.)

All university owned laptops must be encrypted in order to ensure that confidential information is not exposed when a laptop is stolen or lost.

Annually all university owned user computers and servers must be scanned to locate HRCI unless the server is already known to include HRCI.   If HRCI is found on a user computer the HRCI must be removed unless the HRCI is only that of the computer's user.  If HRCI is found on a server the HRCI must be removed or the requirements in section 1.1 must be met.