Harvard Research Data Security Level 5 Requirements
Harvard Research Information Security Policy (HRDSP) Level 5 requirements
Upon confirmation by the IRB of the appropriate security level, researchers are responsible for ensuring that computers and other devices that are used to store research information are set up correctly and operated in a manner that meets the requirements of that level. The specific security measures required are based on the sensitivity of the research information. Researchers should consult the staff of their School’s information technology office or the University Technology Security Officer (UTSO) to help them understand and meet these requirements.
Policy: Level 5 information: Extremely sensitive research information about individually identifiable people - Extremely sensitive research information must be stored and processed only in physically secure rooms and not stored or processed on computers connected to an information network that extends outside the room. Access to the physically secure room and to the information itself must be limited to the specific individuals identified to and authorized by an IRB or other relevant authority. This means that the physically secure room should not be on a building master key or a janitor's key. Removable media storing such information must be encrypted or stored in a locked safe.
- Level 5 information includes individually identifiable information that could cause significant harm to an individual if exposed, including, but not limited to, serious risk of criminal liability, serious psychological harm or other significant injury, loss of insurability or employability, or significant social harm to an individual or group.
- A "Level 5 system" is a system (user computer or server) that stores or processes Level 5 information. A Level 5 system may also store or process Level 4, Level 3 or Level 2 information in addition to the Level 5 information.
- A "Level 5 server" is a server that stores or processes Level 5 information. A Level 5 server may also store or process Level 4, Level 3 or Level 2 information in addition to the Level 5 information.
Information Use Agreements or Other Security Requirements: If confidential information is subject to security requirements specified in an information use agreement (such as data use or business agreements), grant, contract, or research protocol, those requirements must be met. Should the IRB, in consultation with its IT department as appropriate, determine that additional protections are necessary, it may impose requirements appropriate to the level of sensitivity of the information, as indicated below.
If there are no security requirements specified in a data use agreement, grant, contract, or research protocol, the appropriate level of security and protection will be determined by these data security policies.
The term "confidential information" used in the requirements below refers to the Level 5 information.
The IRB shall have the authority to approve a variance of the following security requirements, in consultation as appropriate with Harvard technical experts (such as the School CIO or Security Officer or the UTSO), if the requirements would otherwise unduly hinder the conduct of the research and if alternate methods provide adequate protection of confidential information consistent with applicable legal requirements.
1. Physical security requirements:
1.1. The confidential information must be stored and used only in one or more physically secure rooms located in University controlled locations. 1.2. Systems must be located in one or more physically secure rooms located in University controlled locations. The secure rooms do not have to be dedicated to a specific Level 5 project. 1.3. The room(s) must have one or two entry/exit points that are controlled. Additional emergency exits are permitted if alarmed. 1.4. The interior of the room should not be visible from outside the building if the room is located on the ground floor, that is, no windows.
2. Access security requirements:
2.1. The IRB must be provided with a list of the individuals who will be permitted to have unescorted physical access to the room(s). Other visitors to the secure area are only permitted in special circumstances (e.g., health emergencies, IT support & security reviews). Such visitors must be escorted at all times and their actions must be monitored. 2.2. Individual physical access to the secure area must be controlled and logged. (e.g. card swipe required for each person entering). 2.3. The log of physical access must be protected and restricted from unauthorized access. 2.4. The room(s) must be off the janitor's key. 2.5. The room(s) must be off the general building master and sub master keys.
3. Network security requirements:
3.1. The IRB and IT must be provided with written justification if a Level 5 system is to be connected to a network. 3.2. Any network connected to Level 5 systems must be localized and must not extend outside the secured room(s). If there are multiple rooms, network connections between rooms must be protected by electrical conduit unless the rooms are adjacent. 3.3. No system on a network that connects to Level 5 systems may be accessible from outside the secure room(s) by any means. 3.4. No wireless network capability can be enabled on any Level 5 system. 3.5. No remote access capability can be enabled on any Level 5 system.
4. Network security requirements:
4.1. Level 5 systems should be dedicated to the single purpose of processing or storing of Level 5 information. 4.2. Level 5 systems must not be removed from the secure room(s) unless any storage disks in the system have properly cleaned by overwriting all areas where Level 5 information could have been stored or physically destroyed. 4.3. All administrative functions on the Level 5 systems or applications that access Level 5 information must be logged. The logs should include the identity of the user, the time and the command executed. 4.4. Logs recording administrative functions on Level 5 servers should be reviewed daily to determine if the systems are under attack and that the users are following the documented access practices (e.g., not logging in as root).
5. Operational requirements:
5.1. All media (including magnetic media such as portable disk or thumb drives and non-magnetic media such as optical disks or paper) containing Level 5 information must be encrypted or locked in a safe, which is in a physically secure room, when not actually in use. The names of the specific people who have access to the media must be provided to the IRB. 5.2. All media (including non-magnetic media) containing Level 5 information must not be removed from the secure room unless following a procedure that has been authorized by the IRB.
6. Network security requirements:
6.1. Level 5 Systems connected to any network must run host-based firewalls configured to block all connections to the system other than the specific connections needed to perform the approved research tasks. Documented practices must be in place and followed on maintaining the configurations of the host-based firewalls.
7. System security requirements:
7.1. Generic accounts on systems must be disabled. 7.2. Default passwords on systems must be changed before systems are put into use. 7.3. A mechanism must be in use on servers to inhibit attackers guessing passwords (e.g., lockout after multiple bad password guesses). 7.4. A mechanism must be in use on servers or clients to block access to idle sessions (e.g., an application timeout or a locking screen saver).
8. Operational requirements:
8.1. There must be a written list of the individuals or the categories of people (e.g., research assistant, lab administrator) that are permitted to have accounts on the Level 5 systems ("The access policy"); the names or categories must be disclosed to the IRB. 8.2. Users must only have access to the confidential information through their individually assigned (non-shared) user accounts. 8.3. Only the applications that are actually required to support the services used in the research can be running on the servers. 8.4. Servers must enforce Harvard standard password complexity rules. (See http://www.security.harvard.edu/resources/best-practices/passwords.) 8.5. The confidential information must be encrypted when it traverses any network outside of the security room(s). (E.g., encrypted data files can be sent to a researcher, who can put the still encrypted files onto a physical media to be transported into the secure room for storage on a Level 5 server. Decryption must only occur in the secure room.) 8.6. Servers and the applications must be designed so that passwords cannot be retrieved by anyone (including system administrators). (This should include a mechanism to ensure that any assigned passwords are changed on initial use.) 8.7. Interactive access to servers must be logged. The logs should include the identity of the user, the time and the function (login or logout). 8.8. Users' access to Level 5 data or servers must be removed if they no longer have a reason under the access policy to access the information (e.g., they change jobs or leave the university). 8.9. There must be a documented practice, known by the users, to ensure that any possible breach that might put the confidential information at risk is promptly reported to IRB and the OGC, as well as the University Technology Security Officer and the School and University CIOs. 8.10. The confidential information is not permitted to be stored on any user computer or portable computing device (e.g. laptop, PDA, or smart phone). (See note below about collecting Level 5 information) 8.11. Backup tapes containing the confidential information must be encrypted. 8.12. All electronic records containing the confidential information must be properly disposed of by overwriting the information. 8.13. Old or broken disk storage drives that were used to store the confidential information must be properly disposed of by physical destruction or overwriting the information. 8.14. The IRB must be informed of any plans to have a vendor store or process the confidential information. 8.15. Contracts must be executed with all external vendors who process or store the confidential information at Harvard's direction. 8.16. The contracts must contain specific contract language (approved by the OGC) that requires the vendor to protect the information and to inform Harvard promptly of any possible breach that may put the information at risk of exposure. 8.17. The contracts must contain specific language (approved by the OGC) to ensure that the confidential information is not stored on a user computer at a vendor. 8.18. The contracts must contain specific contract language (approved by the OGC) to ensure that the protection of the confidential information meets the requirements in this policy. 8.19. The contract riders on the security web site meet the above requirements. (http://www.security.harvard.edu/resources/statements/contract-riders) 8.20. Harvard employees working with any kind of confidential information should undergo training in general information security at least annually. 8.21. Implementation of operational requirements is subject to review and audit by the UTSO, RMAS, and/or the IRB.
Collecting Level 5 information
Collection of Level 5 information while in the field must adhere to strict security protocols. The protocol(s) to be used must be approved by the IRB. Some examples include: 1.1 Computer based collection of Level 5 information in the field may only be done by saving the collected information to an encrypted disk or an encrypted thumb drive. 1.2 The information should be transferred to a secure server as soon as practical. 1.3 The Level 5 files must not be decrypted until they are on the Level 5 system. 1.4 The Level 5 information must be promptly removed from the computer used to collect the Level 5 information once the transfer has been completed and verified.
Effective date October 7, 2010