Welcome to the

SPH Information Security

Learning Module

• As employees of Harvard, most of us work with confidential information from time to time and each of us is responsible for properly protecting the confidentiality of that information.

• The University is working to ensure that all employees are regularly reminded of their responsibilities regarding confidential information.

A Shared Responsibility

A recent correspondence from the University CIO and Vice-president for Human Resources reminded the University community:

Objectives

This learning module is designed for SPH staff to raise awareness of the Harvard Enterprise Information Security Policy by helping you to:

• Recognize High-Risk and other Confidential Information.

• Understand how to protect it.

• Know how to report a security breach.

Confidential Information (CI)

• Confidential Information is data about a person or an entity that, if disclosed, could reasonably be expected to place the person or the entity at risk of criminal or civil liability, or to be damaging to financial standing, employability, reputation or other interests. For example:

• Salary information• Employee benefits and other HR information• Grades and other non-directory education records• Harvard IDs that are linked to names• Unpublished research data

High-Risk Confidential Information (HRCI)

• High-Risk Confidential Information is personally identifiable information whose confidentiality is governed by law.

• HRCI includes a person’s name, in conjunction with:

• Social Security number• Credit or debit card account number• Individual financial account number• Driver’s license number or state ID number• Passport number• Biometric information (e.g., MRI scan)

• HRCI also includes personally identifiable human subject information and medical information.

Student Information

• The Family Educational Rights and Privacy Act (FERPA) is a federal law that controls access to information about students and former students.

• Student Information falls into two categories: directory information (which can be included in published or electronic directories) and all other information, which is considered confidential.

• Posting lists of Harvard IDs and grades, for example, is not permissible. It is also a violation of FERPA to leave essays or other student material containing names or Harvard IDs and grades in a pile to be picked up by students.

FERPA Block

• By application to the Registrar’s Office, students can exercise their right to restrict the display or public disclosure of their directory information. Known as a “FERPA Block”, this designation prohibits the disclosure of any information about these students.

7

Storing HRCI and CI

• HRCI should be stored in a designated University or SPH system such as PeopleSoft.

• Confidential information that is not High-Risk can only be stored on a USB flash drive, CD or external hard drive if the drive is encrypted.

• Never store HRCI on your desktop or laptop, USB flash drive, CD or external hard drive, even if the computer disk or device is encrypted.

8

Exchanging Confidential Information Securely

• Use the Accellion Secure File Transfer Server accellion.sph.harvard.edu to send files containing confidential information to others within or outside of the University. Do not use regular email for this purpose.

Tips for Navigating the Web • When browsing the web, and before submitting any

confidential information, check to ensure that the web address begins with “https” in the browser window and look for the lock symbol in your browser.

• Beware of non-Harvard websites that claim to be official University sites.

• Do not use your SPH password for non-Harvard websites.

• Never provide personally identifiable information on a website that you did not intend to visit.

Do Not Reply to Suspicious Email

• “Phishing Schemes” are fraudulent email messages claiming to be from a legitimate source that ask you to submit confidential information such as your username, password, or date of birth.

• Be cautious about opening email attachments that you did not expect to receive. If in doubt, call the sender.

• Beware of unsolicited email with links to the “Harvard” PIN site.

• Never provide personally identifiable information in response to unsolicited email.

• Never click on a link in the body of an email; always copy and paste the URL in a browser window.

Use a Secure Connection When Working Off Campus

• When connecting to Harvard’s network from off campus, use Virtual Private Network (VPN) software, known as AnyConnect, by going to vpn5.harvard.edu.

Choose a Secure Password

• Choose a password that you can remember without having to write it down.

• Use at least nine characters.

• Mix upper and lower case letters, and include combinations of numbers and symbols.

• Do not use real words, names, dates, phone numbers, addresses, or personally identifiable information as part of your password.

Protect Your Password

• Never share your password.

• Never write down your password (e.g., on a sticky note), especially next to your computer.

• SPH IT will never ask you for your password. Moreover, no one affiliated with Harvard can legitimately ask you for your password until you leave the University.

Lock Your Computer When Away from Your Desk

• Set your screen saver to lock automatically after no more than thirty minutes of inactivity if not already set.

• Before leaving your office for an extended period, either shut down your computer or put it into sleep mode.

• Consider using a cable lock to secure your laptop.

Protect Confidential Papers

16

• Promptly retrieve confidential documents at the photo copier, printer or fax machine.

• Keep confidential paper records in locked filing cabinets when not in use.

• If you work in an office area with confidential information, lock the doors when the office is unoccupied.

• Dispose of hard-copy High-Risk Confidential Information, or CDs containing HRCI, in an approved, locked shred bin.

Reporting HRCI Security Incidents

Immediately report any loss or breach of HRCI to:

• Andrew Ross, Information Security Manager for SPHaross@hsph.harvard.edu

• SPH Helpdeskhelpdesk@hsph.harvard.edu

• Harvard’s Information Security website: www.security.harvard.edu

• SPH Information Security:http://

www.hsph.harvard.edu/administrative-offices/information-technology/hsph-it-policies/security-privacy-policies/index.html

helpdesk@hsph.harvard.edu

• SPH IT Support: http://

www.hsph.harvard.edu/administrative-offices/information-technology/index.html

helpdesk@hsph.harvard.edu

Help and Resources

• Please review and accept the University confidentiality agreement which is located under Self Service in PeopleSoft.

• Thank you for taking the time to complete the SPH Information Security Learning Module.

Last Step