subpage_img01 subpage_img02 subpage_img03 filler
Images for the Office of the Provost - Harvard University
Home > Enterprise Security Policy > University Security Mandates

University Security Mandates

Harvard University Information Security
University Mandates Approved by Harvard Risk Management Committee
Updated May 18, 2009
1. Training
Each School must identify and provide training for staff members who are involved in the use or processing of Confidential and High Risk Confidential Information. Harvard policy and Massachusetts law require training for those who are involved in the use or processing of High Risk Confidential Information. Each School must work with its Institutional Review Board to provide appropriate training for faculty members who are engaged in research involving Confidential or High Risk Confidential Information.
2. Comprehensive Communication
Each school must ensure that information on security requirements and expectations are communicated to faculty.
3. Laptop Encryption
Each school must ensure that all University owned laptops are encrypted.
4. Finding HRCI
Each School must ensure that all University owned user computers and servers are annually scanned to locate High Risk Confidential Information (HRCI).
5. Vulnerability Testing
Each School must annually perform vulnerability testing of servers containing HRCI.
6. Network Requirements
Each School must ensure that all systems with HRCI are on private address space and locally firewalled.
7. Remote Access
Each School must adopt a written policy specifying under what conditions, and by whom, HRCI may be accessed from outside of Harvard premises. Schools must ensure that permission for remote access to HRCI is strictly limited to those specific employees who have a strong business need for the access. Schools must ensure that any equipment used to remotely access HRCI and the configurations of that equipment can adequately safeguard the information.
8. Standard File Transfer
Each School must ensure that a secure file transfer method is available to, and used by, all users needing to transfer confidential information.
9. Non-Administrative System Certification
All Schools must ensure that all faculty, research, or student-managed systems with confidential information annually certify their compliance.
10. Managing Security and Practices
Each School should have a comprehensive Risk and Security Team, empowered to make and implement decisions regarding all aspects of School security, including building access, paper, technology, facilities, etc.
Supported by WDS