photo Harvard University - Economics Department
Home News About Us Faculty Staff Visitors Courses Admissions Graduate Undergraduate Journals Events Classrooms Links

Technology Security FAQ

General
  1. I think my Confidential Information or my computer may have been hacked or exposed. What should I do?
  2. How does Harvard define Confidential Information (CI)?
  3. What is High-Risk Confidential Information (HRCI)?

    Administrative and Course-Related Computing

  4. May I keep CI on an encrypted Harvard laptop?
  5. May I keep CI on a non-Harvard laptop?
  6. May I keep CI on other portable devices such as smartphones?
  7. May I keep HRCI on an encrypted Harvard laptop?
  8. Must I encrypt my laptops?
  9. How do I securely discard or reassign my old Harvard computer?
  10. May I keep student info on my desktop computer?
  11. What about student contact (catalog) info?
  12. What about other student info?
  13. Okay, but if I really do have to keep some CI on my desktop computer to get my work done?
  14. What about CI on USB drives, CDs, etc?
  15. What secure Harvard file servers are available to me for CI?
  16. What servers exist for housing administrative HRCI?
  17. How may I securely transfer CI or HRCE outside Harvard?
  18. What about Word or Excel Passwords on files containing CI?
  19. What about vendors or consultants working with Harvard CI?
  20. What about vendors or consultants working with Harvard HRCI?
  21. Where can I read the full and official description of Harvard’s data-security policy?

    Research Computing

  22. What servers exist for housing research CI or HRCI?
  23. In the meantime, what do I do about housing my research or administrative HRCI?
  24. What if I want to do a web survey as part of my research?
  25. Who may sign a Data Use Agreement?
  26. Do the requirements of a Data Use Agreement override Harvard’s CI and HRCI requirements?
  27. Who is ultimately responsible for compliance when it comes to protecting research data?
  28. Where can I read the full and official description of Harvard’s research-computing security policy?


  1. I think my Confidential Information or my computer has been hacked or exposed. What should I do?

    When this happens, you are required to inform the University immediately. Please notify any of these resources:

    Harvard University Information Technology Support Center:

    617 495-7777 or ithelp@harvard.edu

    FAS Information Security Team:

    888 858-5357

    Chief Information Security Officer:

    617 496-5704 (office)

    617 999-3867 (cell phone)

    jcarter@fas.harvard.edu

    Economics Dept. Computer Security Officer:

    Peter Brown

    617 496-4108 (pbrown@harvard.edu)


  2. How does Harvard define Confidential Information (CI)?

    Information is confidential if its disclosure could cause civil or criminal liability to or damage the financial standing, employability, reputation, or other interests of the exposed person. Student grades, reference letters and applications would be common examples of CI.


  3. What is High-Risk Confidential Information (HRCI)?

    HRCI includes a person’s name in conjunction with a credit card number, SSN, passport number, driver's license, biometric, human subject or medical info or other highly sensitive data.


    4. TOP OF FAQ

  4. May I keep CI on an encrypted Harvard laptop?

    Given a specific business reason for doing so, CI may be kept on an encrypted laptop if it is properly configured. It must have a timeout password controlling access to the desktop; the operating system must be updated regularly; it must have updated anti-virus software; have its firewall active; kept in a secured location, etc. In other words, all common-sense steps must be taken so that the laptop may be used to work with CI to securely complete a specific business related task. Once the task is completed, the data should be removed to a secure FAS file server, such as \\fas-depts, (commonly known in the Economics Department as the H: drive), and the files deleted from the desktop machine using an approved secure erase program, such as Secure Erase or Darik’s Boot-And-Nuke. For info about secure-erase software and access to a secure FAS file server, please call 5-9000.

  5. May I keep CI on a non-Harvard laptop?

    Only with specific permission from Peter Brown, which will only be given if there is sufficient business reason and if the laptop is protected as well as a Harvard-owned one (see question 4)


  6. May I keep CI on other portable devices such as smartphones?

    Given a specific reason for doing so, CI may be stored on some handheld devices if they are configured and managed appropriately.  If you need to do this, please contact security@fas.harvard.edu  for guidance as to the treatment of your specific device.


    7. TOP OF FAQ
  7. May I keep HRCI on an encrypted Harvard laptop or other portable device such as a smartphone?

    No. HRCI may not be kept on any laptops or portable devices, even if the devices are encrypted.  If you have questions about this, please contact Peter Brown (pbrown@harvard.edu) or the HUIT security group (ithelp@harvard.edu).



  8. Must I encrypt my laptops?

    The hard disks of all Harvard-owned laptops must be encrypted. To get this done, please call 5-9000.


  9. How do I securely discard or reassign my old Harvard computer?

    Before transferring or disposing of a Harvard-owned computer, the hard disk must be securely "wiped.” Deleting or reformatting the HD is not sufficient. To get this done, please call 5-9000. Harvard computers cannot be transferred outside of Harvard unless approved by Peter Brown and unless the operating system has been removed.


    10. TOP OF FAQ
  10. May I keep student info on my desktop computer?

    The recommended location for all CI is a secure Harvard file server, such as the network location commonly known in our department as the H: drive. Confidential student information such as grades or reference letters must not be kept on a desktop or even an encrypted laptop unless there are specific business reasons for doing so and the personal computer is configured appropriately. Once the business task is completed, the data should be removed to a secure Harvard server and the files overwritten using an approved secure-erase program. For more details, see question 13.


  11. What about student contact (catalog) info?

    Some students are identified as having a Family Educational Rights and Privacy Act (FERPA) “block,” which means ALL information relating to them (including contact info) may be kept only on a secure server and not on a desktop computer. Since you may not always know which students have FERPA blocks, the best practice would be to not to keep any student contact info on a desktop or laptop computer.


  12. What about other student info?

    Other student info (such as grades, reference letters, transcripts, personal statments, class work) must be treated as CI. As a general rule, it is best for faculty and staff to treat all student data as CI, unless there are specific reasons not to.


    13. TOP OF FAQ
  13. Okay, but if I really do have to keep some CI on my desktop computer to get my work done?

    CI may be kept on desktop computer if it is properly configured. It must have a timeout password controlling access to the desktop, the operating system must be updated regularly, have updated anti-virus software, have its firewall active and kept in a secured room, etc. In other words, all common-sense steps must be taken so that the computer may be used to work with CI to securely complete a specific business related task. If you still need the data once the task is completed, the data must be moved to a secure FAS file server, such as \\fas-depts (commonly known in the Economics Department as the H: drive), and the files deleted from the desktop machine using an approved secure-erase program, such as Secure Erase or Darik’s Boot-And-Nuke. For info about secure-erase software and access to a secure FAS file server, please call 5-9000.


  14. What about CI on USB drives, CDs, etc?

    Only when there is a business reason to do so, non-HRCI confidential info may be kept on USB drives, CDs or external hard drives only if those devices are encrypted. In these cases, please contact IT Security (ithelp@harvard.edu) to request an IronKey secure flash drive, which will be provided at no cost.


  15. What secure Harvard file servers are available to me for CI?

    The system known as \\fas-depts is available and provides a sufficient level of security for CI. Many Economics faculty members already have accounts on this system. For information about or access to this server, please call 5-9000.


    16. TOP OF FAQ


  16. What servers exist for housing administrative HRCI?

    As of September 2012, qualifying servers don’t exist for the Economics Department, we are working alongside HUIT to establish this service.


  17. How may I securely transfer HRCI or CI outside Harvard?

    Do not use e-mail to transmit CI. Rather, use Harvard's Accellion Secure File Transfer server: http://fta.fas.harvard.edu. To get help with this, call 5-9000. HRCI can only be transferred out of Harvard if Harvard has a contract containing specific security requirements with the destination of the transfer. See http://www.security.harvard.edu/enterprise-security-policy/6-working-with-vendors.


  18. What about Word or Excel Passwords on files containing CI?

    Users should not depend on the built-in file locking in Microsoft Office for confidential info. Any number of programs can be used to circumvent the protections instead, users can encrypt such files using PGP or, for Windows computers, WinZip.


    19. TOP OF FAQ
  19. What about vendors or consultants working with Harvard CI?

    These parties must have a written contract covering their services, including a requirement to protect CI.
    See http://www.security.harvard.edu/enterprise-security-policy/6-working-with-vendors.


  20. What about vendors or consultants working with Harvard HRCI?

    Those who wish to contract with a vendor to collect or work with HRCI must obtain prior approval from the University CIO. For information, contact security@fas.harvard.edu or any of the parties listed in question 1. See also question 14.


  21. Where can I read the full and official description of Harvard’s enterprise-security policy?

    Please click here for the enterprise-security policy.

    22. TOP OF FAQ
  22. What servers exist for housing research CI or HRCI?

    With the help of the HUIT Research Computing group,the Economics Department has provided a system designed to satisfy the requirements for using many types of CI (security level 3). As required by the Harvard Internal Review Board (IRB), the Economics Department has also established a policy defining what categories of users will have access to this system. These two categories are: 1) a limited, identified group of designated HUIT system administrators , and 2) researchers who have a direct Harvard affiliation and are under the advice and supervision, for research purposes, of Harvard faculty and have a demonstrated need to use CI or HRCI. All exceptions to this policy will have to be approved by the IRB. If you would like to use this system, please contact Peter Brown at pbrown@harvard.edu.


  23. In the meantime, what do I do about housing my research or administrative HRCI?

    Please contact pbrown@harvard.edu or security@fas.harvard.edu for an analysis of your needs, so that we can make necessary arrangements.


  24. What if I want to do a web survey as part of my research?

    A web survey must be approved by the Committee on the Use of Human Subjects. Also please check with the IRB. For details and forms, please visit http://cuhs.harvard.edu


  25. Who may sign a Data Use Agreement?

    Only offices that have been specifically authorized by Harvard may do so. Economics Dept. researchers should contact the Office for Sponsored Programs to find out how to get an authorized signature.


    26. TOP OF FAQ
  26. Do the requirements of a Data Use Agreement override Harvard’s CI and HRCI requirements?

    Maybe. All research conducted at Harvard must comply with Harvard policies, even if the Data Use Agreement calls for lesser levels of protection. A data-use agreement may require additional protections, in which case the researcher must also meet the requirements in the data-use agreement.


  27. Who is ultimately responsible for compliance when it comes to protecting research data?

    Compliance is ultimately the responsibility of the Principle Investigator.


  28. Where can I read the full and official description of Harvard’s research-computing security policy?

    For research computing, see http://www.security.harvard.edu/research-data-security-policy


    29. TOP OF FAQ
Harvard © 2007 by the President and Fellows of Harvard College