2.8 Confidential Information on Harvard Computing Devices

Policy

Harvard Confidential Information must be protected if it resides on a Harvard user's computer or a portable storage device. The theft of a computer or portable storage device must not put Confidential Information at risk of disclosure. See also Section 1.1: Storing High-Risk Confidential Information, which prohibits storing high-risk confidential information on such computer or device. All University owned laptops should be encrypted.

All University owned user computers and servers must be annually scanned to locate High Risk Confidential Information (HRCI).

Discussion

No high-risk confidential information is permitted on any user computer or user storage device even if the information is encrypted. (See Section 1.1: Storing High-Risk Confidential Information)

Other Harvard confidential information can be stored on user computers (laptops or desktops) or user storage devices (including portable disks, flash drives, CDs, and DVDs) if it is properly protected.

An example of proper protection is file or disk encryption using a standardized encryption algorithm that employs keys that are 128 bits long or longer. Passwords for accessing the encrypted information should never be kept on the same computer as the encrypted information.

Users should not depend on the built-in file locking in Microsoft Office because of the numerous applications available that can be used to circumvent the protections.

Loss of a computer or portable device that contains confidential information that is not, by itself, high-risk confidential information may still be subject to the reporting requirements in Massachusetts law even if the information is encrypted if the decryption key was also compromised. (See Section 9.2 : Reporting Security Breaches.)

The University's policy is that all University owned end-user computers should have their primary data storage encrypted. This measure is meant to safeguard confidential information in the event a computer is lost, stolen or improperly decommissioned. If the primary user of the computer believes this control is unnecessary and wants to take responsibility for protecting data on their computer; an opt-out request may be made by completing the Encryption Opt-Out Request. Opt-out requests are subject to review by school or central IT departments. Approved opt-out requests shall be reviewed annually and the requester may be contacted should there be any questions.

Annually all university owned user computers and servers must be scanned to locate HRCI unless the server is already known to include HRCI. If HRCI is found on a user computer the HRCI must be removed unless the HRCI is only that of the computer's user. If HRCI is found on a server the HRCI must be removed or the requirements in section 1.1 must be met.

Best Practices

Disk and Portable Device Encryption