Presentation is loading. Please wait.

Presentation is loading. Please wait.

Welcome to the SPH Information Security Learning Module

Published byCandice Chase Modified over 6 years ago

Similar presentations

Presentation on theme: "Welcome to the SPH Information Security Learning Module"— Presentation transcript:

1 Welcome to the SPH Information Security Learning Module
We all share a role in keeping Harvard’s confidential information secure. 1

2 A Shared Responsibility
A recent correspondence from the University CIO and Vice-president for Human Resources reminded the University community: As employees of Harvard, most of us work with confidential information from time to time and each of us is responsible for properly protecting the confidentiality of that information. The University is working to ensure that all employees are regularly reminded of their responsibilities regarding confidential information. As employees of Harvard, most of us work with confidential information from time to time and each of us is responsible for properly protecting the confidentiality of that information. The University is working to ensure that all employees are regularly reminded of their responsibilities regarding confidential information.

3 Objectives This learning module is designed for SPH staff to raise awareness of the Harvard Enterprise Information Security Policy by helping you to: Recognize High-Risk and other Confidential Information. Understand how to protect it. Know how to report a security breach. This learning module is designed for SPH staff to raise awareness of the Harvard Enterprise Information Security Policy by helping you to: • Recognize High-Risk and other Confidential Information. • Understand how to protect it. • Know how to report a security breach. 3

4 Confidential Information (CI)
Confidential Information is data about a person or an entity that, if disclosed, could reasonably be expected to place the person or the entity at risk of criminal or civil liability, or to be damaging to financial standing, employability, reputation or other interests. For example: Salary information Employee benefits and other HR information Grades and other non-directory education records Harvard IDs that are linked to names Unpublished research data Confidential Information is data about a person or an entity that, if disclosed, could reasonably be expected to place the person or the entity at risk of criminal or civil liability, or to be damaging to financial standing, employability, reputation or other interests. For example: Salary information Employee benefits and other HR information Grades and other non-directory education records Harvard IDs that are linked to names Unpublished research data 4

5 High-Risk Confidential Information (HRCI)
High-Risk Confidential Information is personally identifiable information whose confidentiality is governed by law. HRCI includes a person’s name, in conjunction with: Social Security number Credit or debit card account number Individual financial account number Driver’s license number or state ID number Passport number Biometric information (e.g., MRI scan) HRCI also includes personally identifiable human subject information and medical information. High-Risk Confidential Information is personally identifiable information whose confidentiality is governed by law. HRCI includes a person’s name in conjunction with the person’s Social Security, credit or debit card, individual financial account, driver’s license, state ID, or passport number, or a name in conjunction with biometric information about the named individual. HRCI also includes personally identifiable human subject information and medical information. 5

6 Student Information The Family Educational Rights and Privacy Act (FERPA) is a federal law that controls access to information about students and former students. Student Information falls into two categories: directory information (which can be included in published or electronic directories) and all other information, which is considered confidential. Posting lists of Harvard IDs and grades, for example, is not permissible. It is also a violation of FERPA to leave essays or other student material containing names or Harvard IDs and grades in a pile to be picked up by students. The Family Educational Rights and Privacy Act (FERPA) is a federal law that controls access to information about students and former students. Student Information falls into two categories: directory information (which can be included in published or electronic directories) and all other information, which is considered confidential. Posting lists of Harvard IDs and grades, for example, is not permissible. It is also a violation of FERPA to leave essays or other student material containing names or Harvard IDs and grades in a pile to be picked up by students. 6

7 FERPA Block By application to the Registrar’s Office, students can exercise their right to restrict the display or public disclosure of their directory information. Known as a “FERPA Block”, this designation prohibits the disclosure of any information about these students. By application to the Registrar’s Office, students can exercise their right to restrict the display or public disclosure of their directory information. Known as a “FERPA Block”, this designation prohibits the disclosure of any information about these students. 7 7

8 Storing HRCI and CI HRCI should be stored in a designated University or SPH system such as PeopleSoft. Confidential information that is not High-Risk can only be stored on a USB flash drive, CD or external hard drive if the drive is encrypted. Never store HRCI on your desktop or laptop, USB flash drive, CD or external hard drive, even if the computer disk or device is encrypted. HRCI should only be stored in a designated University or SPH system such as PeopleSoft. If there is a business reason to store the data in another location please contact SPH Information Security. Confidential information that is not High-Risk can only be stored on a USB flash drive, CD, or external hard drive if it is encrypted. Never store High-Risk Confidential Information on your desktop or laptop, USB flash drive, CD or external hard drive, even if the computer disk or device is encrypted. 8 8

9 Exchanging Confidential Information Securely
Use the Accellion Secure File Transfer Server accellion.sph.harvard.edu to send files containing confidential information to others within or outside of the University. Do not use regular for this purpose. Use the Accellion Secure File Transfer Server to send files containing confidential information to others within or outside of the University. Do not use regular for this purpose. 9

10 Tips for Navigating the Web
When browsing the web, and before submitting any confidential information, check to ensure that the web address begins with “https” in the browser window and look for the lock symbol in your browser. Beware of non-Harvard websites that claim to be official University sites. Do not use your SPH password for non-Harvard websites. Never provide personally identifiable information on a website that you did not intend to visit. Before submitting any confidential information, check to ensure that the web address begins with “https” in the browser window and look for the lock symbol in your browser. Beware of non-Harvard websites that claim to be official University sites. Do not use your SPH password for non-Harvard websites. Never provide personally identifiable information on a website that you did not intend to visit. 10

11 Do Not Reply to Suspicious Email
“Phishing Schemes” are fraudulent messages claiming to be from a legitimate source that ask you to submit confidential information such as your username, password, or date of birth. Be cautious about opening attachments that you did not expect to receive. If in doubt, call the sender. Beware of unsolicited with links to the “Harvard” PIN site. Never provide personally identifiable information in response to unsolicited . Never click on a link in the body of an ; always copy and paste the URL in a browser window. “Phishing Schemes” are fraudulent messages claiming to be from a legitimate source that ask you to submit confidential information such as your username, password, or date of birth. Be cautious about opening attachments that you did not expect to receive. If in doubt, call the sender. Beware of unsolicited with links to the “Harvard” PIN site. Never provide personally identifiable information in response to unsolicited . Never click on a link in the body of an ; always copy and paste the URL in a browser window. 11

12 Use a Secure Connection When Working Off Campus
When connecting to Harvard’s network from off campus, use Virtual Private Network (VPN) software, known as AnyConnect, by going to vpn5.harvard.edu. When connecting to Harvard’s network from off campus, use Virtual Private Network (VPN) software, known as AnyConnect, by going to vpn5.harvard.edu. 12

13 Choose a Secure Password
Choose a password that you can remember without having to write it down. Use at least nine characters. Mix upper and lower case letters, and include combinations of numbers and symbols. Do not use real words, names, dates, phone numbers, addresses, or personally identifiable information as part of your password. Choose a password that you can remember without having to writing it down. Use at least eight characters. Mix upper and lower case letters and include combinations of numbers and symbols. Do not use real words, names, dates, phone numbers, addresses or personally identifiable information as part of your password. 13

14 Protect Your Password Never share your password.
Never write down your password (e.g., on a sticky note), especially next to your computer. SPH IT will never ask you for your password. Moreover, no one affiliated with Harvard can legitimately ask you for your password until you leave the University. Never share your password. Never write down your password (e.g., on a sticky note), especially next to your computer. FAS IT will never ask you for your password. Moreover, no one affiliated with Harvard can legitimately ask you for your password until you leave the University. 14

15 When Away from Your Desk
Lock Your Computer When Away from Your Desk Set your screen saver to lock automatically after no more than thirty minutes of inactivity if not already set. Before leaving your office for an extended period, either shut down your computer or put it into sleep mode. Consider using a cable lock to secure your laptop. It takes only a few seconds to secure your computer. When you step away from your desk: Set your screen saver to lock automatically after no more than fifteen minutes of inactivity. Before leaving your office for an extended period, either shut down your computer or put it into sleep mode. Use a cable lock to secure your laptop. 15

16 Protect Confidential Papers
Promptly retrieve confidential documents at the photo copier, printer or fax machine. Keep confidential paper records in locked filing cabinets when not in use. If you work in an office area with confidential information, lock the doors when the office is unoccupied. Dispose of hard-copy High-Risk Confidential Information, or CDs containing HRCI, in an approved, locked shred bin. Promptly retrieve confidential documents at the photo copier, printer or fax machine. Keep confidential paper records in locked filing cabinets when not in use. If you work in an office area with confidential information, lock the doors when the office is unoccupied. Dispose of hard-copy High-Risk Confidential Information, or CDs containing HRCI, in an approved, locked shred bin. 16 16

17 Reporting HRCI Security Incidents
Immediately report any loss or breach of HRCI to: Andrew Ross, Information Security Manager for SPH SPH Helpdesk If you suspect a loss or breach of HRCI contact Jay Carter, who will in turn notify the Office of the General Counsel and University CIO. 17

18 Help and Resources Harvard’s Information Security website:
SPH Information Security: SPH IT Support: 18

19 Last Step Please review and accept the University confidentiality agreement which is located under Self Service in PeopleSoft. Thank you for taking the time to complete the SPH Information Security Learning Module. As a last step: Please review and accept the University confidentiality agreement in PeopleSoft. Thank you for taking the time to complete this important Information Security learning module. 19

Download ppt "Welcome to the SPH Information Security Learning Module"

Similar presentations

Protect Our Students Protect Ourselves

Protect Our Students Protect Ourselves
FERPA: Family Educational Rights and Privacy Act

FERPA: Family Educational Rights and Privacy Act
1 of 2 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2006 Microsoft Corporation.

1 of 2 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2006 Microsoft Corporation.
ANNUAL SECURITY AWARENESS TRAINING – 2011 UMW Information Technology Security Program Annual Security Awareness Training for UMW Faculty and Staff.

ANNUAL SECURITY AWARENESS TRAINING – 2011 UMW Information Technology Security Program Annual Security Awareness Training for UMW Faculty and Staff.
COMPLYING WITH PRIVACY AND SECURITY REGULATIONS Overview MHC Privacy and Security Committee Revised 1/17/11.

COMPLYING WITH PRIVACY AND SECURITY REGULATIONS Overview MHC Privacy and Security Committee Revised 1/17/11.
Computer and Mobile Device Equipment Security Brief May 29, 2008 Presented by: Kevin G. Sutton, Chief, Information Technology Unit.

Computer and Mobile Device Equipment Security Brief May 29, 2008 Presented by: Kevin G. Sutton, Chief, Information Technology Unit.
University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.

University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.
Welcome to the SPH Information Security Learning Module.

Welcome to the SPH Information Security Learning Module.
Springfield Technical Community College Security Awareness Training.

Springfield Technical Community College Security Awareness Training.
A dialogue with FMUG: Sensitive Data & Filemaker MIT Policy and Data Classifications ** DRAFT ** Guidelines Feedback and Discussion Tim McGovern 2 June.

A dialogue with FMUG: Sensitive Data & Filemaker MIT Policy and Data Classifications ** DRAFT ** Guidelines Feedback and Discussion Tim McGovern 2 June.
Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 25 & 27 November 2013.

Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 25 & 27 November 2013.
C USTOMER CREDIT CARD AND DEBIT CARD SECURITY (PCI – DSS COMPLIANCE) What is PCI – DSS Compliance and Who needs to do this?

C USTOMER CREDIT CARD AND DEBIT CARD SECURITY (PCI – DSS COMPLIANCE) What is PCI – DSS Compliance and Who needs to do this?
Part 2 of Evil Lurking in Websites Data Security at the University of Wisconsin Oshkosh.

Part 2 of Evil Lurking in Websites Data Security at the University of Wisconsin Oshkosh.
Critical Data Management Indiana University HR Summit April 24, 2014.

Critical Data Management Indiana University HR Summit April 24, 2014.
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.

Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
FERPA: Family Educational Rights and Privacy Act.

FERPA: Family Educational Rights and Privacy Act.
1 GRAND VALLEY STATE UNIVERSITY FAMILY EDUCATIONAL RIGHTS & PRIVACY ACT (FERPA) TRAINING OFFICES OF THE REGISTRAR AND UNIVERSITY COUNSEL JANUARY 20, 2009.

1 GRAND VALLEY STATE UNIVERSITY FAMILY EDUCATIONAL RIGHTS & PRIVACY ACT (FERPA) TRAINING OFFICES OF THE REGISTRAR AND UNIVERSITY COUNSEL JANUARY 20, 2009.
9/20/07 STLSecurity is Everyone's Responsibility 1 FHDA Technology Security Awareness.

9/20/07 STLSecurity is Everyone's Responsibility 1 FHDA Technology Security Awareness.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Information Security Awareness:

Information Security Awareness:

Similar presentations

Ads by Google