Technology Security

How do I securely transfer HRCI (High Risk Confidential Information) or CI (Confidential Information) outside Harvard?

Do not use e-mail to transmit CI (Confidential Information). Please, use Harvard's Accellion Secure File Transfer server: http://fta.fas.harvard.edu. To get help with this, call 5-9000. HRCI can only be transferred out of Harvard if Harvard has a contract containing specific security requirements with the destination of the transfer.

May I keep CI on an encrypted Harvard laptop?

Given a specific business reason for doing so, CI may be kept on an encrypted laptop if it is properly configured. It must have a timeout password controlling access to the desktop; the operating system must be updated regularly; it must have updated anti-virus software; have its firewall active; kept in a secured location, etc. In other words, all common-sense steps must be taken so that the laptop may be used to work with CI to securely complete a specific business related task. Once the task is completed, the data should be removed to a secure FAS file server, such as \\fas-depts, ( commonly known in the Economics Department as the H: drive), and the files deleted from the desktop machine using an approved secure erase program, such as Secure Erase or Darik’s Boot-And-Nuke. For info about secure-erase software and access to a secure FAS file server, please call 5-9000.

May I keep student info on my desktop computer?

The recommended location for all CI is a secure Harvard file server, such as the network location commonly known in our department as the H: drive. Confidential student information such as grades or reference letters must not be kept on a desktop or even an encrypted laptop unless there are specific business reasons for doing so and the personal computer is configured appropriately. Once the business task is completed, the data should be removed to a secure Harvard server and the files overwritten using an approved secure-erase program. For more details, see question:  

Okay, but if I really do have to keep some CI on my desktop computer to get my work done?

CI may be kept on desktop computer if it is properly configured. It must have a timeout password controlling access to the desktop, the operating system must be updated regularly, have updated anti-virus software, have its firewall active and kept in a secured room, etc. In other words, all common-sense steps must be taken so that the computer may be used to work with CI to securely complete a specific business related task. If you still need the data once the task is completed, the data must be moved to a secure FAS file server, such as \\fas-depts (commonly known in the Economics Department as the H: drive), and the files deleted from the desktop machine using an approved secure-erase program, such as Secure Erase or Darik’s Boot-And-Nuke. For info about secure-erase software and access to a secure FAS file server, please call 5-9000.

What about student contact (catalog) info?

Some students are identified as having a Family Educational Rights and Privacy Act (FERPA) “block,” which means ALL information relating to them (including contact info) may be kept only on a secure server and not on a desktop computer. Since you may not always know which students have FERPA blocks, the best practice would be to not to keep any student contact info on a desktop or laptop computer.

  •  
  • 1 of 2
  • »
More