Welcome to the SPH Information Security Learning Module We all share a role in keeping Harvard’s confidential information secure. 1
A Shared Responsibility A recent correspondence from the University CIO and Vice-president for Human Resources reminded the University community: As employees of Harvard, most of us work with confidential information from time to time and each of us is responsible for properly protecting the confidentiality of that information. The University is working to ensure that all employees are regularly reminded of their responsibilities regarding confidential information. As employees of Harvard, most of us work with confidential information from time to time and each of us is responsible for properly protecting the confidentiality of that information. The University is working to ensure that all employees are regularly reminded of their responsibilities regarding confidential information.
Objectives This learning module is designed for SPH staff to raise awareness of the Harvard Enterprise Information Security Policy by helping you to: Recognize High-Risk and other Confidential Information. Understand how to protect it. Know how to report a security breach. This learning module is designed for SPH staff to raise awareness of the Harvard Enterprise Information Security Policy by helping you to: • Recognize High-Risk and other Confidential Information. • Understand how to protect it. • Know how to report a security breach. 3
Confidential Information (CI) Confidential Information is data about a person or an entity that, if disclosed, could reasonably be expected to place the person or the entity at risk of criminal or civil liability, or to be damaging to financial standing, employability, reputation or other interests. For example: Salary information Employee benefits and other HR information Grades and other non-directory education records Harvard IDs that are linked to names Unpublished research data Confidential Information is data about a person or an entity that, if disclosed, could reasonably be expected to place the person or the entity at risk of criminal or civil liability, or to be damaging to financial standing, employability, reputation or other interests. For example: Salary information Employee benefits and other HR information Grades and other non-directory education records Harvard IDs that are linked to names Unpublished research data 4
High-Risk Confidential Information (HRCI) High-Risk Confidential Information is personally identifiable information whose confidentiality is governed by law. HRCI includes a person’s name, in conjunction with: Social Security number Credit or debit card account number Individual financial account number Driver’s license number or state ID number Passport number Biometric information (e.g., MRI scan) HRCI also includes personally identifiable human subject information and medical information. High-Risk Confidential Information is personally identifiable information whose confidentiality is governed by law. HRCI includes a person’s name in conjunction with the person’s Social Security, credit or debit card, individual financial account, driver’s license, state ID, or passport number, or a name in conjunction with biometric information about the named individual. HRCI also includes personally identifiable human subject information and medical information. 5
Student Information The Family Educational Rights and Privacy Act (FERPA) is a federal law that controls access to information about students and former students. Student Information falls into two categories: directory information (which can be included in published or electronic directories) and all other information, which is considered confidential. Posting lists of Harvard IDs and grades, for example, is not permissible. It is also a violation of FERPA to leave essays or other student material containing names or Harvard IDs and grades in a pile to be picked up by students. The Family Educational Rights and Privacy Act (FERPA) is a federal law that controls access to information about students and former students. Student Information falls into two categories: directory information (which can be included in published or electronic directories) and all other information, which is considered confidential. Posting lists of Harvard IDs and grades, for example, is not permissible. It is also a violation of FERPA to leave essays or other student material containing names or Harvard IDs and grades in a pile to be picked up by students. 6
FERPA Block By application to the Registrar’s Office, students can exercise their right to restrict the display or public disclosure of their directory information. Known as a “FERPA Block”, this designation prohibits the disclosure of any information about these students. By application to the Registrar’s Office, students can exercise their right to restrict the display or public disclosure of their directory information. Known as a “FERPA Block”, this designation prohibits the disclosure of any information about these students. 7 7
Storing HRCI and CI HRCI should be stored in a designated University or SPH system such as PeopleSoft. Confidential information that is not High-Risk can only be stored on a USB flash drive, CD or external hard drive if the drive is encrypted. Never store HRCI on your desktop or laptop, USB flash drive, CD or external hard drive, even if the computer disk or device is encrypted. HRCI should only be stored in a designated University or SPH system such as PeopleSoft. If there is a business reason to store the data in another location please contact SPH Information Security. Confidential information that is not High-Risk can only be stored on a USB flash drive, CD, or external hard drive if it is encrypted. Never store High-Risk Confidential Information on your desktop or laptop, USB flash drive, CD or external hard drive, even if the computer disk or device is encrypted. 8 8
Exchanging Confidential Information Securely Use the Accellion Secure File Transfer Server accellion.sph.harvard.edu to send files containing confidential information to others within or outside of the University. Do not use regular email for this purpose. Use the Accellion Secure File Transfer Server https://fta.fas.harvard.edu to send files containing confidential information to others within or outside of the University. Do not use regular email for this purpose. 9
Tips for Navigating the Web When browsing the web, and before submitting any confidential information, check to ensure that the web address begins with “https” in the browser window and look for the lock symbol in your browser. Beware of non-Harvard websites that claim to be official University sites. Do not use your SPH password for non-Harvard websites. Never provide personally identifiable information on a website that you did not intend to visit. Before submitting any confidential information, check to ensure that the web address begins with “https” in the browser window and look for the lock symbol in your browser. Beware of non-Harvard websites that claim to be official University sites. Do not use your SPH password for non-Harvard websites. Never provide personally identifiable information on a website that you did not intend to visit. 10
Do Not Reply to Suspicious Email “Phishing Schemes” are fraudulent email messages claiming to be from a legitimate source that ask you to submit confidential information such as your username, password, or date of birth. Be cautious about opening email attachments that you did not expect to receive. If in doubt, call the sender. Beware of unsolicited email with links to the “Harvard” PIN site. Never provide personally identifiable information in response to unsolicited email. Never click on a link in the body of an email; always copy and paste the URL in a browser window. “Phishing Schemes” are fraudulent email messages claiming to be from a legitimate source that ask you to submit confidential information such as your username, password, or date of birth. Be cautious about opening email attachments that you did not expect to receive. If in doubt, call the sender. Beware of unsolicited email with links to the “Harvard” PIN site. Never provide personally identifiable information in response to unsolicited email. Never click on a link in the body of an email; always copy and paste the URL in a browser window. 11
Use a Secure Connection When Working Off Campus When connecting to Harvard’s network from off campus, use Virtual Private Network (VPN) software, known as AnyConnect, by going to vpn5.harvard.edu. When connecting to Harvard’s network from off campus, use Virtual Private Network (VPN) software, known as AnyConnect, by going to vpn5.harvard.edu. 12
Choose a Secure Password Choose a password that you can remember without having to write it down. Use at least nine characters. Mix upper and lower case letters, and include combinations of numbers and symbols. Do not use real words, names, dates, phone numbers, addresses, or personally identifiable information as part of your password. Choose a password that you can remember without having to writing it down. Use at least eight characters. Mix upper and lower case letters and include combinations of numbers and symbols. Do not use real words, names, dates, phone numbers, addresses or personally identifiable information as part of your password. 13
Protect Your Password Never share your password. Never write down your password (e.g., on a sticky note), especially next to your computer. SPH IT will never ask you for your password. Moreover, no one affiliated with Harvard can legitimately ask you for your password until you leave the University. Never share your password. Never write down your password (e.g., on a sticky note), especially next to your computer. FAS IT will never ask you for your password. Moreover, no one affiliated with Harvard can legitimately ask you for your password until you leave the University. 14
When Away from Your Desk Lock Your Computer When Away from Your Desk Set your screen saver to lock automatically after no more than thirty minutes of inactivity if not already set. Before leaving your office for an extended period, either shut down your computer or put it into sleep mode. Consider using a cable lock to secure your laptop. It takes only a few seconds to secure your computer. When you step away from your desk: Set your screen saver to lock automatically after no more than fifteen minutes of inactivity. Before leaving your office for an extended period, either shut down your computer or put it into sleep mode. Use a cable lock to secure your laptop. 15
Protect Confidential Papers Promptly retrieve confidential documents at the photo copier, printer or fax machine. Keep confidential paper records in locked filing cabinets when not in use. If you work in an office area with confidential information, lock the doors when the office is unoccupied. Dispose of hard-copy High-Risk Confidential Information, or CDs containing HRCI, in an approved, locked shred bin. Promptly retrieve confidential documents at the photo copier, printer or fax machine. Keep confidential paper records in locked filing cabinets when not in use. If you work in an office area with confidential information, lock the doors when the office is unoccupied. Dispose of hard-copy High-Risk Confidential Information, or CDs containing HRCI, in an approved, locked shred bin. 16 16
Reporting HRCI Security Incidents Immediately report any loss or breach of HRCI to: Andrew Ross, Information Security Manager for SPH aross@hsph.harvard.edu SPH Helpdesk helpdesk@hsph.harvard.edu If you suspect a loss or breach of HRCI contact Jay Carter, who will in turn notify the Office of the General Counsel and University CIO. 17
Help and Resources Harvard’s Information Security website: www.security.harvard.edu SPH Information Security: http://www.hsph.harvard.edu/administrative-offices/information-technology/hsph-it-policies/security-privacy-policies/index.html helpdesk@hsph.harvard.edu SPH IT Support: http://www.hsph.harvard.edu/administrative-offices/information-technology/index.html 18
Last Step Please review and accept the University confidentiality agreement which is located under Self Service in PeopleSoft. Thank you for taking the time to complete the SPH Information Security Learning Module. As a last step: Please review and accept the University confidentiality agreement in PeopleSoft. Thank you for taking the time to complete this important Information Security learning module. 19