Introduction.
Harvard has developed this Enterprise Information Security
Policy to ensure that Harvard's technical resources are properly protected,
that the integrity and privacy of confidential information is maintained, that
information resources are available when they are needed and that users of
these resources understand their responsibilities.
Policies with detailed information including a discussion on the
policy and best practices for complying with it are shown in bolded red. Click on these
policy titles to access additional information.
Scope.
These policies apply to everyone at Harvard who works with Harvard
confidential information, to vendors who contract with Harvard to work with
Harvard confidential information and to the physical and computer environments
that support their work.
Compliance
Assessment.
Under Harvard's compliance program Schools and service
organizations within central administration annually review and report on their
levels of compliance with Harvard's Enterprise Information Security Policy to
the University CIO.
As part of its scheduled review of Harvard’s School information
technology areas, Harvard Risk
Management and Internal Audit (RMAS) periodically review each School’s
compliance and related education and remediation activities. If other efforts
fail Harvard community members may anonymously report areas of concern or
non-compliance. (See Anonymous
Reporting.)
Assessing Risk.
A risk assessment is an important part of any information security
process and will help in assigning priorities for mitigating risk. Users should review the Risk Assessment
Reference Tool before starting to plan any mitigation efforts.[See Risk
Assessment.]
Questions.
Questions, suggestions, recommendations on Harvard's Enterprise
Information Security Policy may be directed to the University Technology
Security Officer (Scott_Bradner@Harvard.Edu)
-------------------------------------------
Harvard Confidential Information
Harvard defines Confidential Information as including information
about a person or an entity that, if disclosed, could reasonably be expected to
place either the person or the entity at risk, or be damaging to financial standing,
employability, or reputation. In addition to any University penalties,
inappropriate disclosure or misuse of confidential information may, in some
cases, lead to criminal or civil liability.
Unless specifically designated as public, information about
present and former students, faculty, and staff, and other individuals who deal
with Harvard, should be considered to be confidential. Confidential information also
includes all non public information about Harvard.[See Confidential
Information for a more detailed discussion of what is considered
confidential information.]
Some types of confidential information present special risks and
need special protection.(See Section 1 High-Risk Information.)
Harvard employees are required to properly protect confidential
information under Harvard's employment policies. [See, for example, Harvard Employment
Policies and Contracts.] In addition, all people at Harvard are required to protect certain types
of confidential information under state or federal law.[See Section 9
Federal and Regulatory]
The policies in this document cover all types of confidential information
at Harvard and at vendors holding or processing Harvard confidential
information including high-risk personally identifiable confidential
information, other personally identifiable confidential information and
institutional confidential information.
1.High-Risk Information
Certain categories of information are classified as high risk,
either because the exposure of this information can cause harm or because the
information is specifically protected under law or under contract. Extra care
must be taken to protect high-risk confidential information in both electronic
and paper form. Improper access to or release of high-risk confidential information may be subject to legal
reporting requirements. (See Section 9.2 Reporting
Security Breaches.) Such information is subject to legal requirements when being disposed of.(See Section 9.1
Disposition and Destruction of Records.)
High-Risk Confidential Information
includes a person's name in conjunction with the person's Social Security, credit or debit
card, individual financial account, driver's license, state ID, or passport
number, or a name in conjunction with biometric information about the named
individual. High-risk confidential
information also includes human subject information (see section 1.2)
and personally identifiable medical information (see section 1.3).
1.1 Storing High-Risk Confidential Information
No member of the Harvard community
and no vendor to Harvard is permitted to store High-Risk Confidential
Information (other than their own) in any way relating to Harvard or Harvard sponsored
activities locally on any individual user computer or on a portable storage
device. Servers storing high-risk
confidential information must be protected as Target Computers.
Non-electronic records containing
high-risk confidential information must kept in secure locked containers except
when in use.
People or groups at Harvard who wish to collect or work with
High-Risk Confidential Information or to contract with a vendor to collect or
work with such information must obtain prior approval from the School and/or
University CIO.
1.2 Human Subject Information
Under Federal law all research at Harvard that includes human
subjects must be approved by a Harvard Institutional Review Board (IRB).Personally identifiable data collected
for, used in, or produced by research involving human subjects must be
protected from inadvertent or inappropriate disclosure.Proposals for all research projects
that involve such data must include an acceptable, effective, and documented
procedure for the protection of such data before the project can be approved or
granted continuing approval by the IRB.
1.3 Personally Identifiable Medical Information
Personally identifiable Medical Information at Harvard is
subject to the requirements of the Health Insurance Portability and
Accountability Act (HIPAA) when used or kept by units of Harvard that are
considered "covered entities" under HIPAA. Personally identifiable
medical information used or kept elsewhere at Harvard is still highly sensitive
and confidential, and must be protected in compliance with the policies for
protecting High-Risk
Confidential Information.
2.Controlling Access to Harvard
Confidential Information
2.1 Obtaining Harvard Confidential Information
Requests for Harvard Confidential Information must be made through the University Help Desk.
2.2 Protecting Confidential Information on Networks
All confidential information must be encrypted when transported
across any network.
Users should clearly understand that many common systems such
as normal email cannot be considered a secure way to transport confidential
information.
2.3 Making Information Available through Directories
Any application that provides public access to directory
information collected by Harvard about individuals and any process that creates
printed lists of people for public display or distribution must adhere to any
privacy preferences established by the individuals.
2.4 Identifying Users With Access To Confidential
Information
System owners must be able to identify individual users of
systems that contain or access confidential information. Passwords used to
access such systems must meet current industry standards for length and
complexity. User passwords must not be shared and must not be retrievable by
anyone, including the system operator.
The Harvard PIN system or LDAP Server are to be used for
Harvard institutional applications that access confidential information unless
a specific exception is made by the University CIO.
2.5 Inhibit Password Guessing
There must be a mechanism to limit the number of repeated
unsuccessful attempts to log into an application or server that deals with
confidential information.
2.6 Limit Application Availability Time
There must be a mechanism to time out a user’s access to
applications that deal with confidential information.
2.7 Limit User Access to Confidential Information
Application owners must ensure that only users with a specific
business reason to access an application can access that application and no
more than that application. Access rights to applications that can access confidential information must reflect a
user's current university status.
Administrative access rights to servers with confidential
information must be limited to system administrators with a specific business
reason for access and such access must be logged; any access rights must change
if their university status changes.
Access to non-electronic records containing confidential
information must be restricted to people with a business need to access the
records.
2.8 Confidential Information on Harvard Computing Devices
Harvard Confidential Information must be protected if it
resides on a Harvard user's computer or a portable storage device. The theft of a computer or portable storage device
must not put Confidential Information at risk of disclosure. See also Section 1.1, which prohibits storing high-risk confidential information on such computer or device.
2.9 Internet access to confidential information
No Harvard confidential information can be saved on any
computer directly accessible from the Internet or from the open portions of
Harvard’s internal network.
2.10 Confidentiality Agreements
Some University employees who have access to confidential
information are required by law or Harvard process to sign a confidentiality
agreement.
2.11 Harvard University ID Numbers
Access to lists and databases of HUIDs should be restricted to persons who have specific need of such access for performance of their jobs.
3.Student Information
Harvard maintains information about students and former students.
The Family Educational Right and Privacy act (FERPA) is a federal law that
controls the access to such information. Anyone at Harvard with access to
information about students must be aware of and adhere to FERPA. This also
applies to information about former students that was collected when they were
students.
3.1 FERPA Directory Information
The Registrars of the Harvard Schools have developed a common
definition of FERPA Directory Information in order to provide a consistent
University-wide understanding of what data elements might ever be considered
public information about students.
3.2 FERPA blocks
FERPA permits students to request that their directory
information not be publicly displayed. The Registrars of the Harvard Schools have developed a common set of
forms for use by students to make such requests.
4.0 Accepting Payment Cards
Harvard University will allow acceptance of credit cards as payment for goods,
services, or gifts only in accordance with the procedures outlined in the
Harvard University Credit Card Merchant Handbook.
5.Physical Environment and Recording the Activities of Individuals
Physical access to environments and systems containing
confidential information need to be controlled to ensure the protection of the
information and of other Harvard resources.
Logs of access to physical facilities or electronic systems need
to be properly protected.
5.1 Physical Environment
Whether in Harvard offices or at off-site locations, all
confidential information in paper or magnetic media form must be properly
protected.Computers containing confidential information must be physically secure.
Physical access to any facility that is sensitive for any
reason should be appropriately secure.
5.2 Recording information about the activities of
individuals
Any unit that maintains logs or automatically generated records
of actions of individuals must adopt written policies on the purpose of, and
retention and access policies for, such logs and records.
6. Contracts
Harvard vendors dealing with Harvard confidential information,
whether or not they obtain the data directly from Harvard, must have a written
contract covering their services including the proper contract riders requiring
the protection of Harvard's information. The security design, policies, and procedures of vendors who will
receive, collect, store or process high-risk confidential information must be
reviewed by the Harvard Information Security Officer and/or Harvard Risk
Management and Audit Services.
People or groups at Harvard who wish to contract with a vendor
to collect or work with high-risk confidential information must also obtain
prior approval from the School or University CIO.
7.Computers and Servers
Computers at Harvard must be properly configured and maintained in
order to ensure the protection of information on those resources.
Specific best practices for computers that might be targets of
special interest to hackers because of the information they contain or the
resources they control are noted under the heading "target
computers.
7.1 Computer Operation
Computer operators must ensure that the computer environment is
secure, patches are up to date and the machines are operated in a way to
minimize the chance of a security breach. Computer operators also must ensure
that only required applications are enabled on a computer.
7.2 Computer Setup
Computer operators must ensure that the computer environment is
properly protected by filters to ensure that malicious traffic does not reach
the applications on the server.
7.3 Target Computers
Computers that might be broken into because of the information
they contain or the resources they control need special protections.
7.4 Network Take-down and Vulnerability Scanning
Network managers are authorized by the University to run vulnerability scans in order to identify security risks and to protect computing and networking resources. Network operators should monitor network activity for signs of attack and take action in the absence of action by the operators of a compromised computer.
8. IT Service Resumption
If the loss of a set of confidential data, or the extended loss of access to it,
presents a substantial business risk, then the
security and availability of this confidential information must be
assured.Each business area using
such confidential information must develop and document a business continuity
plan containing data backup, disaster recovery timeline, methodology,
documentation, procedures, and action steps.
9. Federal and Regulatory
All users of confidential information must adhere to state and
federal regulatory statutes as well as Harvard policies pertaining to
confidential information.
Massachusetts law imposes specific requirements for the proper
destruction of electronic and paper records containing high-risk confidential
information and the reporting of improper access to or use of records
containing such information.
9.1 Disposition and Destruction of Records
Electronic or physical records containing confidential
information must be properly disposed of so that the confidential information
cannot be retrieved.
9.2 Reporting Security Breaches
Known or suspected breaches in the security of Harvard
Confidential Information must be immediately reported to the Harvard University
Office of General Council.
10. Web Based Surveys and Other Data Collection Tools
Data collection tools, such as web based surveys, that request
confidential information must ensure that responses cannot be accessed by
unauthorized persons and that personally identifiable information is not
improperly disclosed or shared. If
a vendor is involved in conducting the survey or analyzing results that include
confidential information that can be linked to individuals, a contract must be
in place that protects the confidential information.
