Harvard Research Data Security Level 2 Requirements
Harvard Research Information Security Policy (HRDSP) Level 2 requirements
Upon confirmation by the IRB of the appropriate security level, researchers are responsible for ensuring that computers and other devices that are used to store research information are set up correctly and operated in a manner that meets the requirements of that level. The specific security measures required are based on the sensitivity of the research information. Researchers should consult with the staff of their School’s information technology office or the University Technology Security Officer (UTSO) to help them understand and meet these requirements.
Policy: Level 2 information: Good computer use practice that meets the requirements in sections 7.1 and 7.2 of the Harvard Enterprise Information Security Policy (HEISP) should be used when storing benign research information and access should be limited to those individuals who have a specific research need to access the information. These requirements include making use of complex passwords, not sharing accounts, limiting system accounts to those with a specific need, not responding to offers or links in unsolicited email, and not surfing web sites that are likely to try to download malware (e.g., illegal file sharing or pornography sites).
- Level 2 information includes individually identifiable information, disclosure of which would not ordinarily be expected to result in material harm, but as to which a subject has been promised confidentiality.
- A "Level 2 system" is a system (user computer or server) that stores or processes Level 2 information.
- A "Level 2 server" is a server that stores or processes Level 2 information.
- A "Level 2 facility" is a computing facility that meets the following requirements for Level 2 servers. Level 2 facilities may be used to store and process Level 2 information.
Information Use Agreements or Other Security Requirements: If confidential information is subject to security requirements specified in an information use agreement (such as data use or business agreements), grant, contract, or research protocol, those requirements must be met. Should the IRB have concerns that additional protections may be necessary, it will consult with its IT department and may impose requirements appropriate to the level of sensitivity of the information, as indicated below.
If there are no security requirements specified in a data use agreement, grant, contract, or research protocol, the appropriate level of security and protection will be determined by these data security policies.
The term "confidential information" used in these requirements refers to the Level 2 information.
Except where there are specific legal protection requirements, the IRB or the UTSO in consultation with the IRB, have the authority to approve a variance of the following security requirements, in consultation with appropriate Harvard technical experts (such as the School CIO or Security Officer), if the requirements would otherwise inappropriately affect the conduct of the research and if alternate methods will still provide adequate protection of confidential information.
1. System security requirements:
1.1. Generic accounts on systems must be disabled. 1.2. Default passwords on systems must be changed before systems are put into use. 1.3. A mechanism must be in use on Level 2 servers to inhibit attackers guessing passwords. (e.g., lockout after multiple bad password guesses) 1.4. A mechanism must be in use on Level 2 servers or clients to block access to idle sessions. (e.g., a locking screen saver)
2. Operational requirements:
2.1. Users must only have access to the confidential information through their individually assigned (non-shared) user accounts. 2.2. Users' access to Level 2 data or servers must be removed if they no longer have a reason under the research protocol to access the information (e.g., they change jobs or leave the University) 2.3. Users of Level 2 servers must follow Harvard standard password complexity rules (see http://www.security.harvard.edu/resources/best-practices/passwords). 2.4. Level 2 servers and the applications must be designed so that passwords cannot be retrieved by anyone (including system administrators). (This should include a mechanism to ensure that any assigned passwords are changed on initial use.) 2.5. Interactive access to Level 2 servers must be logged. The logs should include the identity of the user, the time and the function (login or logout). 2.6. The logs should be reviewed if a security incident is suspected. 2.7. There must be a documented practice known by the users to ensure that any possible breach that might put the confidential information at risk is promptly reported to the IRB as well as the School or University CIO. 2.8. System software (operating system and application) patches must be up to date. 2.9. Level 2 systems should be running an appropriate virus checker and the virus checker information files should be updated at least weekly. 2.10. Harvard employees working with any kind of confidential information should undergo training in general information security at least annually. 2.11. University owned systems should be scanned at least annually to ensure that no high risk confidential information (HRCI) is stored on the system. 2.12. Implementation of operational requirements is subject to review and audit by the UTSO, RMAS, and/or the IRB.
Effective date October 7, 2010