1.1 Storing High-Risk Confidential Information [4]

No member of the Harvard community and no vendor to Harvard is permitted to store High-Risk Confidential Information (other than their own) in any way relating to Harvard or Harvard sponsored activities locally on any individual user computer or on a portable storage device. Servers storing high-risk confidential information must be protected as Target Computers.

Non-electronic records containing high-risk confidential information must kept in secure locked containers except when in use.

People or groups at Harvard who wish to collect or work with High-Risk Confidential Information or to contract with a vendor to collect or work with such information must obtain prior approval from their School or University Information Security Officer.

1.2 Human Subject Information [5]

Under Federal law all research at Harvard that includes human subjects must be approved by a Harvard Institutional Review Board (IRB). Personally identifiable data collected for, used in, or produced by research involving human subjects must be protected from inadvertent or inappropriate disclosure. Proposals for all research projects that involve such data must include an acceptable, effective, and documented procedure for the protection of such data before the project can be approved or granted continuing approval by the IRB.

1.3 Personally Identifiable Medical Information [6]

Personally identifiable Medical Information at Harvard is subject to the requirements of the Health Insurance Portability and Accountability Act (HIPAA) when used or kept by units of Harvard that are considered "covered entities" under HIPAA. Personally identifiable medical information used or kept elsewhere at Harvard is still highly sensitive and confidential, and must be protected in compliance with the policies for protecting High-Risk Confidential Information.

2.1 Obtaining Harvard Confidential Information [7]

The University Helpdesk must be contacted (617.496.2001 or helpdesk@harvard.edu) to obtain access to any Directory Services resource (e.g., the ID management system) containing confidential information about individuals.

Access to Harvard core financial or reporting applications (e.g. Oracle Financials and Peoplesoft) should be requested via the local Authorized Requester for the application.

In addition, anyone working with or collecting high risk confidential information about individuals, even if they do not obtain this information from the University core databases, must contact security@harvard.edu or their local school security officer or CIO to discuss data policy and handling requirements before beginning application development.

Only the confidential information reasonably necessary to accomplish a legitimate business purpose should be obtained and the time that such information is retained should be limited to that reasonably necessary to accomplish such purpose.

2.2 Protecting Confidential Information on Networks [8]

2.3 Making Information Available through Directories [9]

Any application that provides public access to directory information collected by Harvard about individuals and any process that creates printed lists of people for public display or distribution must adhere to any privacy preferences established by the individuals.

2.4 Identifying Users With Access To Confidential Information [10]

System owners must be able to identify individual users of systems that contain or access confidential information. Passwords used to access such systems must meet current industry standards for length and complexity. User passwords must not be shared and must not be retrievable by anyone, including the system operator.

The Harvard PIN system or LDAP Server are to be used for University applications that access confidential information unless a specific exception is made by the University CIO.

2.5 Inhibit Password Guessing [11]

There must be a mechanism to limit to the number of repeated unsuccessful attempts to log into an application or server that deals with confidential information.

2.6 Limit Application Availability Time [12]

There must be a mechanism to time out a user’s access to applications that deal with confidential information.

2.7 Limit User Access to Confidential Information [13]

Application owners must ensure that only users with a specific business reason to access an application can access that application and no more than that application. Access rights to applications that can access confidential information must reflect a user’s current university status.

Administrative access rights to servers with confidential information must be limited to system administrators with a specific business reason for access and such access must be logged; any access rights must change if their university or status changes.

Access to non-electronic records containing confidential information must be restricted to people with a business need to access the records.

There must be written policies for employees that take into account whether and how employees should be allowed to keep, access and transport records containing high risk confidential information about people other than themselves outside of business premises.

2.8 Confidential Information on Harvard Computing Devices [14]

2.9 Internet Access to Confidential Information [15]

No Harvard confidential information can be saved on any computer directly accessible from the Internet or from the open portions of Harvard’s internal network.

2.10 Confidentiality Agreements [16]

University employees who have access to confidential information must annually agree to a confidentiality agreement.

2.11 Harvard University ID Numbers [17]

Access to lists and databases of HUIDs should be restricted to persons who have specific need of such access for performance of their jobs.

2.12 Training and Communication [18]

Each School and central administration must identify and provide training for staff members who are involved in the use or processing of Confidential and High Risk Confidential Information.

Each School must ensure that security requirements and related expectations are properly communicated to their faculty members.

3.2 FERPA Directory Information [19]

Harvard Registrars have developed a set of Common FERPA Directory Information Elements. Individual Harvard Schools may designate some, but need not designate all, of these elements as “directory information” for their students.

4.1 Accepting Payment Cards [20]

Harvard University will allow acceptance of credit cards as payment for goods, services, or gifts only in accordance with the procedures outlined in the Harvard University Credit Card Merchant Handbook.

5.1 Physical Environment [21]

Whether in Harvard offices or at off-site locations, all confidential information in paper or magnetic media form must be properly protected. Computers containing confidential information must be physically secure.

Physical access to any facility that is sensitive for any reason should be appropriately secure.

5.2 Recording Information About the Activities of Individuals [22]

Any unit that maintains logs or automatically generated records of actions of individuals must adopt written policies on the purpose of, and retention and access policies for, such logs and records.

6.1 Contracts [23]

Harvard vendors dealing with Harvard confidential information, whether or not they obtain the data directly from Harvard, must have a written contract covering their services including the proper contract riders requiring the protection of Harvard’s information. The security design, policies, and procedures of vendors who will receive, collect, store or process high-risk confidential information must be reviewed by the Harvard Information Security Officer and/or Harvard Risk Management and Audit Services.

People or groups at Harvard who wish to contract with a vendor to collect or work with high-risk confidential information must also obtain prior approval from the School and/or University CIO.

7.1 Computer Operation [24]

Computer operators must ensure that the computer environment is secure, patches are up to date and the machines are operated in a way to minimize the chance of a security breach. Computer operators also must ensure that only required applications are enabled on a computer.

All faculty, research, or student-managed systems with confidential information must annually certify their compliance with university IT security policies.

7.2 Computer Setup [25]

Computer operators must ensure that the computer environment is properly protected by filters to ensure that malicious traffic does not reach the applications on the server.

7.3 Target Systems and Controllers [26]

Systems that might be targets of special interest to hackers because of the information they contain or the resources they control need special protections. This category includes systems containing high-risk confidential information and building management, control and access systems as well as systems containing valuable research data.

All such high risk systems and those containing HRCI must be on private address space and locally firewalled.  Annual vulnerability testing must be done on all high risk servers and those containing HRCI.

7.4 Network Take-down and Vulnerability Scanning [27]

Network managers are authorized by the University to run vulnerability scans in order to identify security risks and to protect computing and networking resources. Network operators should monitor network activity for signs of attack and take action in the absence of action by the operators of a compromised computer.

8.1 IT Service Resumption [28]

If the loss of a set of confidential data, or the extended loss of access to it, presents a substantial business risk, then the security and availability of this confidential information must be assured. Each business area using such confidential information must develop and document a business continuity plan containing data backup, disaster recovery timeline, methodology, documentation, procedures, and action steps.

8.2 Incident Response Process [29]

Each School and Central Administration unit must have, disseminate, and use an incident response process.

9.1 Disposition and Destruction of Records [30]

Electronic or physical records containing confidential information must be properly disposed of so that the confidential information cannot be retrieved.

9.2 Reporting Security Breaches [31]

If it becomes known or suspected that Harvard Confidential Information may have been acquired or used by an unauthorized person or for an unauthorized purpose, the matter should be immediately reported to the Harvard University Office of General Counsel.

9.3 Interacting with Legal Authorities [32]

If you are approached by someone representing themselves as a law enforcement officer and who requests information about Harvard students, faculty or staff please tell them to contact the Office of the General Counsel (OGC). http://www.ogc.harvard.edu 617-495-1280. See Harvard Staff Advisory: Responding to Law Enforcement Requests [33].)

The OGC is the only organization at Harvard authorized to respond to such requests. An exception should be made if you conclude that a fast response is required to protect someone's health or safety. In such a case please record the name and identification of the requester and the information that was requested. Contact the OGC as soon as possible to let them know what happened.

10.1 Web Based Surveys [34]

Data collection tools, such as web based surveys, that request confidential information must ensure that responses cannot be accessed by unauthorized persons and that personally identifiable information is not improperly disclosed or shared. If a vendor is involved in conducting the survey or analyzing results that include confidential information that can be linked to individuals, a contract must be in place that protects the confidential information.