FAS Information Seurity 201 Desktop Referene Guide
Introdution Harvard University is ommitted to proteting information resoures that are ritial to its aademi and researh mission. Harvard is equally ommitted to preserving an environment that enourages aademi and researh ollaboration through the responsible use of information tehnology resoures. The protetion of onfidential information is governed by legal, finanial, and ontratual obligations, in addition to University poliy: Federal Law Family Eduational Rights and Privay At (FERPA) Health Insurane Portability and Aountability At (HIPAA) State Law 201 CMR 17.00: Standards for The Protetion of Personal Information of Residents of the Commonwealth Harvard Poliy Harvard Enterprise Information Seurity Poliy (HEISP) University Contrats Non-dislosure agreements, sponsored researh agreements, et. Harvard has developed an Enterprise Information Seurity Poliy to ensure that its tehnial resoures are properly proteted, that the integrity and privay of onfidential information is maintained, that information resoures are available when needed, and that those who use these resoures understand their responsibilities. For the omplete text of this poliy, see www.seurity.harvard.edu.
Table of Poliy Confidential Information...6 Student Information...8 Annual Compliane Requirements...9 Enryption Poliy for Laptops...9 Web Privay Statements...9 Musi and File Sharing Software...10 Working with Vendors...10 Basi Best Praties Choose a Seure Password...11 Protet your Password...12 Password Protet your Computer and Mobile Devie...12 Install the Latest System Updates on your Computer...13 Install Anti-Virus Software on your PC...13 Seurely Dispose of Equipment and Data...14
Contents Daily Best Praties Lok your Computer when Away from your Desk...15 Save your Confidential Information on a Seure Server...15 Exhange Confidential Information Seurely...16 Navigate the Web Cautiously...16 Do Not Reply to Suspiious Email...17 Use a Seure Connetion when Working off Campus...18 Protet Confidential Papers and Physial Reords...18 Report Seurity Inidents (inside bak over) Additional Help & Resoures (bak over)
POLICY R Confidential Information Information about a person or an entity that, if dislosed, ould reasonably be expeted to plae the person or the entity at risk of riminal or ivil liability, or to be damaging to finanial standing, employability, reputation, or other interests. Harvard is bound by laws, suh as FERPA and HIPAA, and by ontrats, suh as some grants and vendor ontrats, to protet some types of onfidential information. Additionally, Harvard, under University, Shool or unit poliies, requires protetion of other kinds of information about the University or Shools, faulties, departments and other units, and about Harvard property (tangible or intangible). Confidential Information also inludes High-Risk Confidential Information, as defined below, as well as other non-publi personally identifiable information about individuals. High-Risk Confidential Information High-Risk Confidential Information (HRCI) is personally identifiable information whose onfidentiality is governed by law. HRCI inludes a person s name in onjuntion with the person s Soial Seurity, redit or debit ard, individual finanial aount, driver s liense, state ID, or passport number, or a name in onjuntion with biometri information about the named individual. HRCI also inludes personally identifiable human subjet information and medial information. Improper aess to, use of, or release of High-Risk Confidential Information may trigger legal reporting requirements. Suh information is subjet to legal requirements upon disposal. 6 Poliy
Confidential Information (ontinued) Examples Examples of Confidential Information (in addition to HRCI) inlude the following: Unpublished University finanial information and development plans Salary information Employee benefits and other HR information Grades and other non-diretory eduation reords Finanial information about appliants Non-publi personal and finanial data about donors Harvard identifiation numbers Information reeived under grants and ontrats subjet to onfidentiality requirements Information on failities seurity systems Unpublished researh data Invention dislosures and patent appliations Information speifially designated as private or onfidential Poliy 7
R Student Information Harvard maintains extensive information about students and former students. The Family Eduational Rights and Privay At (FERPA) is a federal law that ontrols aess to these reords. Student Information falls into two ategories: diretory information, whih an generally be inluded in published or eletroni diretories, and all other information, whih is onfidential. Harvard s Registrars have agreed on a ommon set of publi diretory information for students. Examples inlude name, address, telephone listing, email address, photograph, date of birth, and field of study. A omplete list an be found in the Harvard College Handbook for Students and the GSAS Handbook under Aademi Information (see www.registrar.fas.harvard.edu). All other information that Harvard ollets about a student is onsidered onfidential. This information may be dislosed to University offiials with a legitimate eduational interest, that is, to offiials who require the information in order to exeute their professional responsibilities in relationship to their roles within the FAS. The Harvard University ID is not diretory information, and must be proteted. Posting lists of Harvard IDs and grades, for example, is not permissible. It is also a violation of FERPA to leave essays or other student material ontaining names or Harvard IDs and grades in a pile to be piked up by students. FERPA Blok By appliation to the Registrar s Offie, students an exerise their right to restrit the display or publi dislosure of their diretory information. Known as a FERPA Blok, this designation prohibits the dislosure of any information about these students. 8 Poliy
R Annual Compliane Requirements On an annual basis, all FAS staff are required to omplete eduation about Information Seurity and to ertify their awareness of Harvard s poliies. FAS Human Resoures will provide additional information about this requirement. In addition, all University employees must annually onsent to a onfidentiality agreement. This an be found under the Self Servie menu in PeopleSoft. R Enryption Poliy for Laptops The theft of a Harvard omputer or portable storage devie (e.g., CD, USB flash drive, external hard drive) must not put onfidential information at risk of dislosure. Beause University-owned laptops are partiularly vulnerable to loss or theft, they must be enrypted. Enryption software enodes and password-protets the ontents of your hard drive when your omputer is not in use. If you use a Harvard-owned laptop, make sure that it is enrypted using PGP Whole Disk Enryption. For assistane with this proess, ontat help@fas.harvard.edu. You an also find software and instrutions at http://pgp.fas.harvard.edu. University poliy prohibits storing HRCI on laptops or other portable devies, even if they are enrypted, or transmitting HRCI by other than enrypted means. Other onfidential information must be enrypted if it is stored on a portable devie. For more information see Daily Best Praties below. R Web Privay Statements All Harvard web sites must have a link to a privay statement on the first page of the site. The privay statement must also appear on the entry page of any group of pages under different management. The link must be in a visible loation (often on the bottom line), in a font not smaller than that used elsewhere on the web page. The site must adhere to the privay poliy that is posted. Examples of privay statements an be found at www.seurity.harvard.edu under the heading Resoures and subtopi Sample Statements. Poliy 9
R Musi and File Sharing Software Do not install peer-to-peer filesharing software (e.g., BitTorrent, edonkey, Gnutella, and LimeWire) on your Harvard omputer without speifi authorization. Doing so may subjet you to University disiplinary ation, as well as to ivil or riminal penalties. File sharing software an pose a seurity threat to your omputer and to the Harvard network. If peer-to-peer file sharing software is required for your job, FAS Information Seurity must first review it to ensure that its use will not pose a seurity risk. Legal use of opyrighted material with the permission of the opyright owner or under the fair use or another exemption under opyright law is permitted for legitimate purposes, suh as researh or teahing, as required by an individual s position at Harvard. For more information on Harvard s poliy with respet to digital opyright law, see www.dma.harvard.edu. R Working with Vendors Vendors dealing with Harvard onfidential information, whether or not they obtain the data diretly from the University, must have a written ontrat overing their servies, inluding a requirement to protet onfidential information. If the servies involve HRCI or regular work with any onfidential information, then the ontrat should inlude or attah a ontrat rider governing the protetion of that information. Contrat riders an be found at www.seurity.harvard.edu under the heading Enterprise Seurity Poliy and subtopi Working with Vendors. Those who wish to ontrat with a vendor to ollet or work with High-Risk Confidential Information must obtain prior approval from the University CIO. The seurity poliies and proedures of vendors who will reeive, ollet, store, or proess this data must be reviewed by the Harvard Information Seurity Offier and/or Harvard Risk Management and Audit Servies. For more information, ontat seurity@fas.harvard.edu. 10 Poliy
Basi Best praties R Choose a Seure Password Choose a password that you an remember without having to write it down. Use at least 8 haraters. Mix upper and lower ase letters, and inlude ombinations of numbers and symbols. Do not use real words, names, dates, phone numbers, addresses, or personally identifiable information as part of your password. Tips for Choosing a Seure Password: Take the first letter of eah word in a phrase you know. Substitute or add other letters, numbers, symbols, and apitalization. Do not use the example here or one that appears in any other doument as your password. EXAMPLE: Whose woods these are I think I know W w t a I t I k W w t R? 1 t 1 n0 Basi Best Praties 11
R Protet your Password Never share your password with anyone. Never write down your password (e.g., on a stiky note), espeially next to your omputer. FAS IT will never ask you for your password. Moreover, no one affiliated with Harvard an legitimately ask you for your password until you leave the University. R Password Protet Your Computer and Mobile Devie Instrutions for Windows XP: Press Ctrl-Alt-Delete Selet Change Password... Under User name enter Administrator Under Log on to... selet this omputer from the pull-down menu Instrutions for Ma OSX: Go to the General Tab under System Preferenes Selet Require password to wake this omputer from sleep or sreen saver Instrutions for BlakBerry: Go to Options Selet Seurity Options from the sroll-down menu Choose General Settings Next to Password, hoose Enabled from the pull-down menu Instrutions for iphone: Go to Settings Selet General Selet Passode Lok Basi Best 12 Praties
R install the latest system updates on your omputer Ensure that you are running the latest version of the operating system that was installed on your omputer when you obtained it. For PCs: Launh Internet Explorer, and go to www.windowsupdate.om Choose the Express option to obtain high-priority updates Go to the Start Menu, rightlik on My Computer, and selet Properties Open the Automati Updates tab and selet a time eah day that updates an be automatially downloaded and installed. Choose a time that you know your omputer will be turned on and onneted to the network. For Mas: Go to www.apple.om/downloads/maosx R Install Anti-Virus Software on your PC PC owners should download and install approved anti-virus software on their systems: Go to www.fas-it.fas.harvard.edu Selet Software Downloads from the main menu Basi Best Praties 13
R Seurely Dispose of Equipment and Data Before disposing of your omputer: Seurely erase the entire hard drive, inluding all data, software, and operating system omponents. Deleting your files or reformatting the hard drive is not suffiient. Contat FAS Information Seurity at seurity@fas.harvard.edu for more information. Contat DataShredder, a Harvard preferred vendor, to dispose of erased hard drives: Data Shredder 800-622-1808 www.datashredder.net Before disposing of physial (non-eletroni) media: Use a ross-ut shredder to ensure that onfidential douments annot be reonstruted. Dispose of hard-opy High-Risk Confidential Information, or CDs ontaining HRCI, in an approved, loked shred bin. Basi Best 14 Praties
Daily Best praties R Lok your Computer when Away from your Desk Set your sreen saver to lok automatially after no more than fifteen (15) minutes of inativity. Before leaving your offie for an extended period, either shut down your omputer or put it into sleep mode: For PCs, press CTRL-ALT-DEL and selet Lok Computer For Mas, go to the General Tab under System Preferenes, and then selet Require password to wake this omputer from sleep or sreen saver Use a able lok to seure your laptop. R Save your onfidential Information on a Seure Server The best loation for onfidential information is a seure server, suh as the FAS shared file server. Never store High-Risk Confidential Information (HRCI) on your desktop or laptop, USB flash drive, CD, or external hard drive, even if the omputer disk or devie is enrypted. Confidential information that is not High-Risk an only be stored on a USB flash drive, CD, or external hard drive if it is enrypted. If you need to opy onfidential information onto one of these devies, ontat seurity@fas.harvard.edu. Daily Best Praties 15 15
R Exhange Confidential Information Seurely Use the Aellion Seure File Transfer Server to send files ontaining onfidential information to others. Do not use regular email for this purpose. Login to Aellion at https://fta.fas.harvard.edu using your FAS or Life Sienes email address and password When you see a message regarding a digital signature or Java seurity prompt, lik OK and then Run to ontinue In the Send File window, enter the address of the intended reipient, as well as a subjet line and message Choose Browse to attah the onfidential file to your message Choose Send The reipient will reeive email with a link to the seure Aellion server where the file will be available for 15 days Complete instrutions on using Aellion an be found on the FAS IT website: Go to www.fas-it.fas.harvard.edu In the searh field at the top of the page, enter Aellion R Navigate the Web Cautiously Never provide personally identifiable information on a website that you did not intend to visit. Before submitting any onfidential information, hek for https in the URL and look for the lok symbol in your browser. Beware of non-harvard URLs that laim to be offiial University websites. Do not use your FAS password for non-harvard websites. Web sites that support gambling, pornography, or illiit behaviors may ontain harmful ode that an ompromise your omputer as well as your data. Daily Best 16 Praties
R Do Not Reply to Suspiious Email Phishing Shemes are fraudulent email messages laiming to be from a legitimate soure that ask you to submit onfidential information suh as your username, password, or date of birth. Never provide personally identifiable information in response to unsoliited email. Do not open email attahments that you were not expeting to reeive. Beware of unsoliited email with links to the Harvard PIN site. Always opy and paste a link that you reeive in email; don t just lik on it. Never share your password with anyone. FAS IT will never ask you for your password. In fat, no one affiliated with Harvard an legitimately ask you for your password until you leave the University. Daily Best Praties 17 17
R Use a Seure Connetion when Working off Campus Install Virtual Private Network (VPN) software, known as AnyConnet, to use when onneting to Harvard s network from off ampus: Go to https://vpn.fas.harvard.edu At the username prompt, enter your omplete FAS email address R Protet Confidential Papers and Physial Reords Keep onfidential paper reords in loked filing abinets when not in use. Keep fax and opying mahines that are used with onfidential information in loked, proteted areas. Restrit physial aess to any faility that ontains onfidential information. Aess ontrol measures inlude smart ard swipes, PIN keypads, loked doors, and guards who an hek photo IDs. Do not leave onfidential information on opiers, fax mahines, or other shared devies. Daily Best 18 Praties
Report Seurity Inidents Immediately report any loss or breah of High-Risk Confidential Information to FAS Information Seurity, who in turn will apprise the University CIO and Offie of the General Counsel: FAS Diretor of Information Seurity: (o) 617-496-5704 () 617-999-3867 FAS Information Seurity Team: 888-858-5357 In the event that any Harvard data, omputer, or mobile handheld devie is lost or stolen, report this to FAS Information Seurity (seurity@fas.harvard.edu), your Department Administrator or Chair, and the Harvard Polie (617-495-1215). FAS Information Seurity has a Computer Inident Response Team that an san your omputer for vulnerabilities or assist with any omputer seurity onern. Please ontat seurity@fas.harvard.edu at the first sign of a seurity issue. Do not take ation on your own, as this may damage or destroy evidene required for a digital forensi investigation. You an also ontat FAS Information Seurity in the event of the following: You suspet that there has been a data breah Your password has been ompromised The performane of your omputer suddenly dereases You see new software on your omputer that you do not reognize You believe that you have a omputer virus You enounter a phishing sheme 19
Additional Help & Resoures: Harvard s Information Seurity Website: www.seurity.harvard.edu FAS IT Information Seurity: seurity@fas.harvard.edu FAS IT Support: help@fas.harvard.edu, 617-495-9000 Information Seurity 201 Desktop Referene Guide April 2010 FAS Information Tehnology Harvard University 2010 President and Fellows of Harvard College