© 2009 President and Fellows of Harvard College.
Application owners must ensure that only users with a specific business reason to access an application can access that application and no more than that application. Access rights to applications that can access confidential information must reflect a user’s current university status.
Administrative access rights to servers with confidential information must be limited to system administrators with a specific business reason for access and such access must be logged; any access rights must change if their university or status changes.
Access to non-electronic records containing confidential information must be restricted to people with a business need to access the records.
There must be written policies for employees that take into account whether and how employees should be allowed to keep, access and transport records containing high risk confidential information about people other than themselves outside of business premises.
Harvard requires that access to confidential information be only granted to people with a business need to access the information to minimize the threat of improper disclosure or use of the information. Access granted to a specific person needs to be reevaluated if that person leaves the university or transfers to another job within the university and their ability to access the information should be removed when there is no longer any business requirement for the access.
Harvard has developed model checklists to be used when employees are hired, transfer or leave the university. Following these templates can help ensure that the proper steps are followed to meet this policy.
State regulations require that written policies exist relating to remote access to or remote storage of high risk confidential information. It is a Harvard requirement that such policies also address the remote access to or remote storage of other Harvard-related confidential information. A written policy specifying under what conditions, and by whom, HRCI may be accessed from outside of Harvard premises must be in force for all university employees. Permission for remote access to HRCI must be strictly limited to those specific employees who have a strong business need for the access. Any equipment used to remotely access HRCI and the configurations of that equipment must be adequate to safeguard the information. These policies and procedures to support them can be school-wide or local to a group.
Harvard's external auditors operate under the Statement on Auditing Standards (SAS) No. 112 "Communicating Internal Control Related Matters Identified in an Audit." SAS 112 was developed by the American Institute of Certified Public Accountants and dictates some of what are to be considered good practices when dealing with systems that deal with financial information and reporting exceptions to these practices. Harvard generally considers that the practices outlined in SAS 112 should be used with systems containing non-financial confidential information as well. One of the SAS 112 practices that businesses frequently find to be a change from current practices is the requirement that developers not have unrestricted access to production systems since SAS 112 does not consider it a business need to have developers access and have the opportunity to modify the data on production systems.
Links:
[1] http://www.security.harvard.edu/resources/best-practices/remote-access
[2] http://www.fasab.gov/accepted.html
[3] http://www.mass.gov/?pageID=ocapressrelease&L=1&L0=Home&sid=Eoca&b=pressrelease&f=20090212_idtheft&csid=Eoca
[4] http://www.aicpa.org/Professional Resources/Accounting and Auditing/Audit and Attest Standards/Practice Aids and Tools/Understanding SAS No 112.htm
[5] http://www.aicpa.org/download/members/div/auditstd/AU-00325.PDF