View as PDF 
Harvard has developed this Enterprise Information Security Policy to ensure that Harvard's technical resources are properly protected, that the integrity and privacy of confidential information is maintained, that information resources are available when they are needed and that users of these resources understand their responsibilities.
The following policies are provided with detailed information, including a Discussion on the policy and Best Practices for compliance. View guidelines for School and Central Administration compliance . View guidelines for Risk Assessment .
No member of the Harvard community and no vendor to Harvard is permitted to store High-Risk Confidential Information (other than their own) in any way relating to Harvard or Harvard sponsored activities locally on any individual user computer or on a portable storage device. Servers storing high-risk confidential information must be protected as Target Computers.
Non-electronic records containing high-risk confidential information must kept in secure locked containers except when in use.
People or groups at Harvard who wish to collect or work with High-Risk Confidential Information or to contract with a vendor to collect or work with such information must obtain prior approval from their School or University Information Security Officer.
Under Federal law all research at Harvard that includes human subjects must be approved by a Harvard Institutional Review Board (IRB). Personally identifiable data collected for, used in, or produced by research involving human subjects must be protected from inadvertent or inappropriate disclosure. Proposals for all research projects that involve such data must include an acceptable, effective, and documented procedure for the protection of such data before the project can be approved or granted continuing approval by the IRB.
Personally identifiable Medical Information at Harvard is subject to the requirements of the Health Insurance Portability and Accountability Act (HIPAA) when used or kept by units of Harvard that are considered "covered entities" under HIPAA. Personally identifiable medical information used or kept elsewhere at Harvard is still highly sensitive and confidential, and must be protected in compliance with the policies for protecting High-Risk Confidential Information.
The University Helpdesk must be contacted (617.496.2001 or firstname.lastname@example.org) to obtain access to any Directory Services resource (e.g., the ID management system) containing confidential information about individuals.
Access to Harvard core financial or reporting applications (e.g. Oracle Financials and Peoplesoft) should be requested via the local Authorized Requester for the application.
In addition, anyone working with or collecting high risk confidential information about individuals, even if they do not obtain this information from the University core databases, must contact email@example.com or their local school security officer or CIO to discuss data policy and handling requirements before beginning application development.
Only the confidential information reasonably necessary to accomplish a legitimate business purpose should be obtained and the time that such information is retained should be limited to that reasonably necessary to accomplish such purpose.
All confidential information must be encrypted when transported across any network.
Users should clearly understand that many common systems such as normal email cannot be considered a secure way to transport confidential information.
A secure file transfer method must be available to, and used by, all users needing to transfer confidential information.
Any application that provides public access to directory information collected by Harvard about individuals and any process that creates printed lists of people for public display or distribution must adhere to any privacy preferences established by the individuals.
System owners must be able to identify individual users of systems that contain or access confidential information. Passwords used to access such systems must meet current industry standards for length and complexity. User passwords must not be shared and must not be retrievable by anyone, including the system operator.
The Harvard PIN system or LDAP Server are to be used for University applications that access confidential information unless a specific exception is made by the University CIO.
There must be a mechanism to limit to the number of repeated unsuccessful attempts to log into an application or server that deals with confidential information.
There must be a mechanism to time out a user’s access to applications that deal with confidential information.
Application owners must ensure that only users with a specific business reason to access an application can access that application and no more than that application. Access rights to applications that can access confidential information must reflect a user’s current university status.
Administrative access rights to servers with confidential information must be limited to system administrators with a specific business reason for access and such access must be logged; any access rights must change if their university or status changes.
Access to non-electronic records containing confidential information must be restricted to people with a business need to access the records.
There must be written policies for employees that take into account whether and how employees should be allowed to keep, access and transport records containing high risk confidential information about people other than themselves outside of business premises.
Harvard Confidential Information must be protected if it resides on a Harvard user's computer or a portable storage device. The theft of a computer or portable storage device must not put Confidential Information at risk of disclosure. See also Section 1.1: Storing High-Risk Confidential Information, which prohibits storing high-risk confidential information on such computer or device. All University owned laptops should be encrypted.
All University owned user computers and servers must be annually scanned to locate High Risk Confidential Information (HRCI).
No Harvard confidential information can be saved on any computer directly accessible from the Internet or from the open portions of Harvard’s internal network.
University employees who have access to confidential information must annually agree to a confidentiality agreement.
Access to lists and databases of HUIDs should be restricted to persons who have specific need of such access for performance of their jobs.
Each School and central administration must identify and provide training for staff members who are involved in the use or processing of Confidential and High Risk Confidential Information.
Each School must ensure that security requirements and related expectations are properly communicated to their faculty members.
Harvard Registrars have developed a set of Common FERPA Directory Information Elements. Individual Harvard Schools may designate some, but need not designate all, of these elements as “directory information” for their students.
Harvard University will allow acceptance of credit cards as payment for goods, services, or gifts only in accordance with the procedures outlined in the Harvard University Credit Card Merchant Handbook.
Whether in Harvard offices or at off-site locations, all confidential information in paper or magnetic media form must be properly protected. Computers containing confidential information must be physically secure.
Physical access to any facility that is sensitive for any reason should be appropriately secure.
Any unit that maintains logs or automatically generated records of actions of individuals must adopt written policies on the purpose of, and retention and access policies for, such logs and records.
Harvard vendors dealing with Harvard confidential information, whether or not they obtain the data directly from Harvard, must have a written contract covering their services including the proper contract riders requiring the protection of Harvard’s information. The security design, policies, and procedures of vendors who will receive, collect, store or process high-risk confidential information must be reviewed by the Harvard Information Security Officer and/or Harvard Risk Management and Audit Services.
People or groups at Harvard who wish to contract with a vendor to collect or work with high-risk confidential information must also obtain prior approval from the School and/or University CIO.
Computer operators must ensure that the computer environment is secure, patches are up to date and the machines are operated in a way to minimize the chance of a security breach. Computer operators also must ensure that only required applications are enabled on a computer.
All faculty, research, or student-managed systems with confidential information must annually certify their compliance with university IT security policies.
Computer operators must ensure that the computer environment is properly protected by filters to ensure that malicious traffic does not reach the applications on the server.
Systems that might be targets of special interest to hackers because of the information they contain or the resources they control need special protections. This category includes systems containing high-risk confidential information and building management, control and access systems as well as systems containing valuable research data.
All such high risk systems and those containing HRCI must be on private address space and locally firewalled. Annual vulnerability testing must be done on all high risk servers and those containing HRCI.
Network managers are authorized by the University to run vulnerability scans in order to identify security risks and to protect computing and networking resources. Network operators should monitor network activity for signs of attack and take action in the absence of action by the operators of a compromised computer.
If the loss of a set of confidential data, or the extended loss of access to it, presents a substantial business risk, then the security and availability of this confidential information must be assured. Each business area using such confidential information must develop and document a business continuity plan containing data backup, disaster recovery timeline, methodology, documentation, procedures, and action steps.
Each School and Central Administration unit must have, disseminate, and use an incident response process.
Electronic or physical records containing confidential information must be properly disposed of so that the confidential information cannot be retrieved.
If it becomes known or suspected that Harvard Confidential Information may have been acquired or used by an unauthorized person or for an unauthorized purpose, the matter should be immediately reported to the Harvard University Office of General Counsel.
If you are approached by someone representing themselves as a law enforcement officer and who requests information about Harvard students, faculty or staff please tell them to contact the Office of the General Counsel (OGC). http://www.ogc.harvard.edu 617-495-1280. See Harvard Staff Advisory: Responding to Law Enforcement Requests .)
The OGC is the only organization at Harvard authorized to respond to such requests. An exception should be made if you conclude that a fast response is required to protect someone's health or safety. In such a case please record the name and identification of the requester and the information that was requested. Contact the OGC as soon as possible to let them know what happened.
Data collection tools, such as web based surveys, that request confidential information must ensure that responses cannot be accessed by unauthorized persons and that personally identifiable information is not improperly disclosed or shared. If a vendor is involved in conducting the survey or analyzing results that include confidential information that can be linked to individuals, a contract must be in place that protects the confidential information.