Harvard Research Data Security Level 4 Requirements
Harvard Research Information Security Policy (HRDSP) Level 4 requirements
Upon confirmation by the IRB of the appropriate security level, researchers are responsible for ensuring that computers and other devices that are used to store research information are set up correctly and operated in a manner that meets the requirements of that level. The specific security measures required are based on the sensitivity of the research information. Researchers should consult the staff of their School’s information technology office or the University Technology Security Officer (UTSO) to help them understand and meet these requirements. Policy: Level 4 information: Very sensitive research information must be protected according to the requirements for protecting High Risk Confidential Information (HRCI) in the Harvard Enterprise Information Security Policy (HEISP) http://www.security.harvard.edu/enterprise-security-policy. These requirements include storing such information only on servers that cannot be directly accessed from the Internet and can only be accessed within Harvard through a firewall rather than on user computers. Such servers should be in physically secure locations and all access (including remote access) to the locations and the information should be limited to the specific groups of people authorized by an IRB or other relevant authority. Remote access to such information must be only via encrypted communications paths such as ssh or https. Computers storing Level 4 research information should meet the requirements of sections 7.1, 7.2 and 7.3 of the HEISP. These requirements include installing such computers on networks using private address space, logging access to the computers, and annually subjecting the computers to vulnerability testing and remediating any significant vulnerabilities promptly. Definitions:
- Level 4 information includes individually identifiable information that includes High Risk Confidential Information (HRCI) as defined by the Harvard Enterprise Information Security Policy. This includes Social Security numbers as well as other individually identifiable financial information. (See http://www.security.harvard.edu/enterprise-security-policy/1-high-risk-i... for a full list.) Medical records that are not categorized as extremely sensitive and other individually identifiable research information that, if disclosed, could reasonably be expected to present a non-minimal risk of civil liability, moderate psychological harm, or material social harm to individuals or groups should also be classified as Level 4 information. Medical records may also be subject to Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulations. Subject to specific government requirements in each case, sensitive national security information should usually be classified as Level 4 information.
- A "Level 4 system" is a system (user computer or server) that stores or processes Level 4 information. A Level 4 system may also store or process Level 3 or Level 2 information in addition to the Level 4 information.
- A "Level 4 server" is a server that stores or processes Level 4 information. A Level 4 server may also store or process Level 3 or Level 2 information in addition to the Level 4 information.
- A "Level 4 facility" is a computing facility that meets the following requirements for Level 4 servers. Level 4 facilities may be used to store and process Level 4 information. Level 4 facilities may also be used to store and process Level 3 or Level 2 information as long as the access controls for the Level 4 information meets the following requirements.
Information Use Agreements or Other Security Requirements: If confidential information is subject to security requirements specified in an information use agreement (such as data use or business agreements), grant, contract, or research protocol, those requirements must be met. Should the IRB, in consultation with its IT department as appropriate, determine that additional protections are necessary, it may impose requirements appropriate to the level of sensitivity of the information, as indicated below. If there are no security requirements specified in a data use agreement, grant, contract, or research protocol, the appropriate level of security and protection will be determined by these data security policies. The term "confidential information" used in the requirements below refers to the Level 4 information. The IRB shall have the authority to approve a variance of the following security requirements, in consultation as appropriate, with Harvard technical experts (such as the School CIO or Security Officer or the UTSO), if the requirements would otherwise unduly hinder the conduct of the research and if alternate methods provide adequate protection of confidential information consistent with applicable legal requirements. 1. Physical security requirements:
1.1. Level 4 servers must be located in only in physically secure facilities under University control. Such a facility can be a general purpose facility.
2. Network security requirements:
2.1. Level 4 servers must not be directly accessible from the Internet or from open parts of the Harvard networks unless the confidential information is encrypted. (Note that use of a VPN concentrator is not considered "direct access.") 2.2. The IRB and IT must be provided with written justification if a Level 4 system is to be connected to a network. 2.3. Level 4 systems connected to any network must run host-based firewalls configured to block all connections to the system other than the specific connections needed to perform the approved research. 2.4. Level 4 systems connected to any network must undergo at least annual vulnerability testing and problem remediation. 2.5. Level 4 systems must be only connected to a special network segment dedicated to similar systems. 2.6. No user computers are permitted on the special network segment. 2.7. Level 4 systems connected to a network must use private address space. 2.8. The network segment containing the systems must be protected by a firewall that is configured to block all inbound traffic to the system not specifically required to support the application. 2.9. The network segment containing the systems must be protected by a firewall that is configured to block all outbound traffic from the system not specifically required to support the application 2.10. The firewall protecting the network segment with the systems must block all administrative access except from the specific computers used by the system administrators. 2.11. Documented practices must be in place and followed on maintaining the configurations of the host-based and network-based firewalls. 2.12. The confidential information must be encrypted when it traverses any network (outside of a switch in a secure information center). 2.13. The confidential information must never be sent via email except in encrypted files. 2.14. All users needing to transfer the confidential information must make use of a secure file transfer method.
3. System security requirements:
3.1. Administrative functions on the Level 4 servers or applications that access the confidential information must be logged. The logs should include the identity of the user, the time, and the command executed. 3.2. Generic accounts on Level 4 systems must be disabled. 3.3. Default passwords on Level 4 systems must be changed before the systems are put into use. 3.4. A mechanism must be in use on Level 4 servers to inhibit attackers guessing passwords (e.g., lockout after multiple bad password guesses). 3.5. A mechanism must be in use on Level 4 servers or clients to block access to idle sessions (e.g., an application timeout or a locking screen saver).
4. Operational requirements:
4.1. There must be a written list of the individuals or the categories of people (e.g., research assistant, lab administrator)that are permitted to have accounts on the Level 4 systems ("The access policy"); the names or categories must be disclosed to the IRB. 4.2. All media (including magnetic media such as portable disk or thumb drives and non-magnetic media such as optical disks or paper) containing the confidential information must be encrypted or secured in a locked container ( e.g., a file cabinet or safe) when not actually in use. Access to the locked container should be limited to the specific categories of people disclosed to the IRB. 4.3. Where access to systems storing the confidential information from outside of the research premises is permitted, there must be a written policy identifying individuals or categories of persons who have permission, and under what conditions ("The remote access policy"); the identities or categories must be disclosed to the IRB.. 4.4. Users must only have access to the confidential information through their individually assigned (non-shared) user accounts. 4.5. Only the applications that are actually required to support the services used in the research can be running on the servers. 4.6. Users' access to Level 4 data or servers must be removed if they no longer have a reason under the access policy to access the information (e.g., they change jobs or leave the university). 4.7. Level 4 servers must enforce Harvard standard password complexity rules. (See http://www.security.harvard.edu/resources/best-practices/passwords.) 4.8. Level 4 servers and the applications must be designed so that passwords cannot be retrieved by anyone (including system administrators). (This should include a mechanism to ensure that any assigned passwords are changed on initial use.) 4.9. Interactive access to Level 4 servers must be logged. The logs should include the identity of the user, the time, and the function (login or logout). 4.10. The logs should be reviewed periodically to determine if the systems are under attack and that the users are following the documented access practices (e.g., not logging in as root). 4.11. There must be a documented practice, known by the users, to ensure that any possible breach that might put the confidential information at risk is promptly reported to the IRB and the OGC, as well as the University Technology Security Officer and the School and University CIOs. 4.12. The confidential information is not permitted to be stored on any user computer or portable computing device (e.g. laptop, PDA, or smart phone). (See note below about collecting Level 4 information) 4.13. Backup tapes or other removable media containing the confidential information must be encrypted. 4.14. All electronic records containing the confidential information must be properly disposed of by overwriting the information. 4.15. Old or broken disk storage drives that were used to store the confidential information must be properly disposed of by physical destruction or overwriting the information. 4.16. The IRB must be informed of any plans to have a vendor store or process the confidential information. 4.17. Contracts must be executed with all external vendors who process or store the confidential information at Harvard's direction. 4.18. The contracts must contain specific contract language (approved by the OGC) that requires the vendor to protect the information and to inform Harvard promptly of any possible breach that may put the confidential information at risk of exposure. 4.19. The contracts must contain specific language (approved by the OGC) to ensure that the confidential information is not stored on a user computer at a vendor. 4.20. The contracts must contain specific contract language (approved by the OGC) to ensure that the protection of the confidential information meets the requirements of Massachusetts law and in this policy. 4.21. The contract riders on the security web site meet the above requirements. (http://www.security.harvard.edu/resources/statements/contract-riders) 4.22. All software (operating system and application) patches must be up to date. 4.23. Only the applications that are actually required to support the required services can be running on a server. 4.24. Level 4 systems must be running an appropriate virus checker and the virus checker information files must be updated at least weekly. 4.25. Operators of non-IT-managed Level 4 servers must annually certify to their school CIO that they are compliant with the Harvard Enterprise Information Security Policy. 4.26. Harvard employees working with any kind of confidential information should undergo training in general information security at least annually. 4.27. Implementation of operational requirements is subject to review and audit by the UTSO, RMAS, and/or the IRB.
Other security considerations
1.1. The facility should have a minimum number of normally active entry/exit points, each of which should be controlled, between the secure area and non-secure areas. Additional exits are OK if alarmed. 1.2. The physical location of the secure area should not be visible from outside the building if the room is located on the ground floor, that is, no windows. 1.3. Individual physical access to the secure area must be controlled and logged. (e.g. card swipe required for each person entering) Visitors to the secure area must be escorted at all times and their actions must be monitored. 1.4. The log of physical access must be protected and restricted from unauthorized access.
Collecting Level 4 information
Collection of Level 4 information while in the field must adhere to strict security protocols. The protocol(s) to be used must be provided to the IRB. Some examples include: 1.1. Computer-based collection of Level 4 information in the field may be done using a VPN connection to a Level 4 server. 1.2. Computer based collection of Level 4 information in the field may be done using a computer with an encrypted disk. In this case the information should be securely transferred to a secure server as soon as practical. The secure transfer can be done through a VPN to a Level 4 server, by using an encrypted thumb drive, or by encrypting the information files and transferring the encrypted files, for example via email, or a secure file transfer application to a secure location. 1.3. The Level 4 information must be promptly and securely removed from the computer used to collect the Level 4 information once the transfer has been completed and verified.
Effective date October 7, 2010