Harvard University Information Security Update

1
Harvard University Information Security Update

• School of Public Health
• March 25, 2008

2

Harvard Enterprise Security Policy

• Over the past two years the University has
  developed guidelines and recommendations to
  ensure that Harvards technical resources are
  properly protected, that the integrity and
  privacy of confidential information is
  maintained, that information resources are
  available when they are needed, and that users of
  these resources understand their
  responsibilities.

3
The rules of the game just changed...

• Two recent incidents at the University have
  changed everything
• -Harvard ID card fraud by a student
• -GSAS web server breach
• Bad publicity.
• Damaged credibility.
• Costly incident.

4
Everything just got stricter...

• The President, Provost, and members of the
  Corporation have demanded immediate action to
  address the problems and risks at all levels of
  the University, both centrally, and at every
  school.
• People need to lose their jobs

5
So why are you here ?

• Every Harvard employee is required to protect
  confidential or high risk information.
• You or your department probably handle or have
  access to such information.
• Protecting this information is YOUR
  responsibility !!

6
What needs to be protected ?

• Social security numbers, credit card numbers, and
  bank account information
• Personally identifiable human subject information
• Personally identifiable medical information
• HUID accompanied by name

7
What is Confidential Information?

• Information about a person or an entity that, if
  disclosed, could reasonably be expected to place
  either the person or the entity at risk of
  criminal or civil liability, or be damaging to
  financial standing, employability, or reputation.
  Harvard is bound by law or by contract to protect
  some types of confidential information.
  Additionally, Harvard requires protection of some
  other kinds of information beyond legal or
  contractual requirements as an additional
  safeguard.

8
What is Confidential Information?

• Unless specifically designated as public
  information, all information about present and
  former students, faculty, and staff, and other
  individuals who deal with Harvard, should be
  considered to be confidential.
• Confidential information also includes all
  non-public information about Harvard.
• Certain categories of information are classified
  as high risk, either because exposure can cause
  harm, or because its protected under law or
  under contract.

9
What is High Risk Information?

• ANY of the following, in electronic or paper
  form
• Social security number
• Credit or Debit card number
• Financial account number
• Drivers license number
• State identification number
• Passport or visa number
• Biometric information

10
Where do security risks lie ?

• Computer hacking
• Lost or stolen computers or portable drives
• Misdirected email (mail sent outside of
  GroupWise is NOT secure)
• Discarded paper files
• Recycled PCs that have not had the hard drive
  securely erased
• Unlocked file cabinets

11
What are the new policies ?

• 1.1 High-Risk Confidential Information
• No member of the Harvard community and no vendor
  to Harvard is permitted to store High-Risk
  Confidential Information (other than their own)
  in any way relating to Harvard or Harvard
  sponsored activities, locally on any individual
  user computer or on a portable storage device,
  whether Harvard owned or not, or whether
  encrypted or not.
• Non-electronic records containing high-risk
  confidential information must be kept in secure
  locked containers except when in use.

12
What are the new policies ?

• Confidential Information
• must have approval to get confidential
  information
• only authorized employees can use applications
• assess who has access, and do they really need it
• must be encrypted when sent over networks
• can NOT be stored on any computer not owned and
  managed by Harvard
• must be encrypted on any computer not located at
  Harvard
• no direct Internet access to servers with
  confidential information

13
What are the new policies ?

• Confidential Information
• unique IDs non-shared strong passwords required
• User accounts and passwords must not be shared
  (e.g.-faculty members giving passwords to
  assistants)
• lockout after repeated failed logins
• timeout idle logins use password enabled screen
  saver on your pc during inactivity
• Lock your files lock your door when stepping
  away
• Hard drives must be securely erased before
  recycling
• USB keys must be encrypted
• Protect your PC apply security patches use
  anti-virus software

14
What are the new policies ?

• Confidential Information
• properly dispose of high-risk information use
  data shredding bins at SPH
• obey FERPA on student information
• obey PCI standards for payment cards
• vendor contracts must include security rider
• web-based surveys need to be secure
• require employee confidentiality agreements
• theft of a user computer cannot threaten
  confidential data
• report breaches

15
What are the new policies ?

• Mass ID Theft Law
• Requires protection of confidential information
  about Massachusetts residents
• Harvard must disclose lost or stolen unencrypted
  data
• proper destruction of electronic and paper
  records is required

16
What are Your Responsibilities ?

• Protect the data !!!
• Raise everyone's awareness in your Dept.
• Review your internal policies and procedures
• Assess who this affects and what information is
  involved, including consultants and contractors
• Establish formal procedures for areas handling
  sensitive information
• Everyone that works with confidential information
  needs to know the rulesall the applicable rules
  HEISP, Mass law, FERPA ...
• Create an annual and ongoing awareness program

17
We are all in this together!

18
QUESTIONS ?