Both the Chief Information Security Officer (Christian Hamer) and the Office of General Counsel must be notified. If you discover or are dealing with a data security breach, contact the Office of the General Counsel by calling 617-495-1280 or by emailing email@example.com. The OGC will help coordinate the response to the breach.
Passwords must be created to comply with the University’s information security policy. This means a minimum of 8 characters with at least one non-alphabetic character. Passwords should not be individual dictionary words, common names, or sequences of numbers. "F4&yh10!" is an example of an acceptable password.
A longer password is a stronger password. Consider creating a password comprised of several unrelated words with numbers and special characters interspersed. This is often referred to as a pass...
A few of the laws that are important to know about are those that govern student information, personally identifiable information (Harvard refers to this as High Risk Confidential Information) and medical record information. Harvard Office of the General Counsel (OGC) may be consulted about compliance with the laws and regulations that are relevant to the Harvard community.
Family Education Rights and Privacy Act (FERPA)
The Family Educational Rights and Privacy Act is a federal law governing the maintenance and disclosure of records maintained by schools...
Level 3 information should not be directly emailed. Instead, store the information in a Harvard-contracted file storage service, limit the permissions to only intended recipients, and share the link via email. Public or so-called anonymous links should not be used. Examples of Harvard-contracted file storage services include g.Harvard apps and Office 365.
Level 4 information may be sent via Accellion. Please confirm that recipients understand and are ready to appropriately...
Level 2 or 3 Confidential Information must be protected on your computer. Disk or file encryption are examples of suitable protection. Your personal device must be configured to restrict access to the person who uses the device. Smart phones and tablets must be configured to require a PIN or password for access, and must be set to automatically wipe their storage after 10 bad PIN or password guesses.
Reminder: Level 4 high risk confidential information must never be stored on your computer or storage device.
State and federal regulations mandate that a group only obtain and maintain the high risk confidential information or student record information needed to accomplish a legitimate business purpose. The regulations also mandate that such information only be retained for as long as it is needed for that purpose.
Yes. This information is considered high risk and is very carefully managed. Access to this information must be controlled and reviewed periodically. If you need to gather High Risk Confidential Information from sources within the University, from non-University sources, or from the individuals themselves or provide such information to a vendor, you must obtain permission to do so from the School or University CIO. HUIT Security or your school security officers will work with you to develop a plan to provide sufficient protection for the Level 4 data.