Presentation on theme: "Welcome to the SPH Information Security Learning Module."— Presentation transcript:
Welcome to the SPH Information Security Learning Module
As employees of Harvard, most of us work with confidential information from time to time and each of us is responsible for properly protecting the confidentiality of that information. The University is working to ensure that all employees are regularly reminded of their responsibilities regarding confidential information. A Shared Responsibility A recent correspondence from the University CIO and Vice- president for Human Resources reminded the University community:
Objectives This learning module is designed for SPH staff to raise awareness of the Harvard Enterprise Information Security Policy by helping you to: Recognize High-Risk and other Confidential Information. Understand how to protect it. Know how to report a security breach.
Confidential Information (CI) Confidential Information is data about a person or an entity that, if disclosed, could reasonably be expected to place the person or the entity at risk of criminal or civil liability, or to be damaging to financial standing, employability, reputation or other interests. For example: Salary information Employee benefits and other HR information Grades and other non-directory education records Harvard IDs that are linked to names Unpublished research data
High-Risk Confidential Information (HRCI) High-Risk Confidential Information is personally identifiable information whose confidentiality is governed by law. HRCI includes a person’s name, in conjunction with: Social Security number Credit or debit card account number Individual financial account number Driver’s license number or state ID number Passport number Biometric information (e.g., MRI scan) HRCI also includes personally identifiable human subject information and medical information.
Student Information The Family Educational Rights and Privacy Act (FERPA) is a federal law that controls access to information about students and former students. Student Information falls into two categories: directory information (which can be included in published or electronic directories) and all other information, which is considered confidential. Posting lists of Harvard IDs and grades, for example, is not permissible. It is also a violation of FERPA to leave essays or other student material containing names or Harvard IDs and grades in a pile to be picked up by students.
FERPA Block By application to the Registrar’s Office, students can exercise their right to restrict the display or public disclosure of their directory information. Known as a “FERPA Block”, this designation prohibits the disclosure of any information about these students. 7
Storing HRCI and CI HRCI should be stored in a designated University or SPH system such as PeopleSoft. Confidential information that is not High-Risk can only be stored on a USB flash drive, CD or external hard drive if the drive is encrypted. Never store HRCI on your desktop or laptop, USB flash drive, CD or external hard drive, even if the computer disk or device is encrypted. 8
Exchanging Confidential Information Securely Use the Accellion Secure File Transfer Server accellion.sph.harvard.edu to send files containing confidential information to others within or outside of the University. Do not use regular email for this purpose.harvard.edu
Tips for Navigating the Web When browsing the web, and before submitting any confidential information, check to ensure that the web address begins with “https” in the browser window and look for the lock symbol in your browser. Beware of non-Harvard websites that claim to be official University sites. Do not use your SPH password for non-Harvard websites. Never provide personally identifiable information on a website that you did not intend to visit.
Do Not Reply to Suspicious Email “Phishing Schemes” are fraudulent email messages claiming to be from a legitimate source that ask you to submit confidential information such as your username, password, or date of birth. Be cautious about opening email attachments that you did not expect to receive. If in doubt, call the sender. Beware of unsolicited email with links to the “Harvard” PIN site. Never provide personally identifiable information in response to unsolicited email. Never click on a link in the body of an email; always copy and paste the URL in a browser window.
Use a Secure Connection When Working Off Campus When connecting to Harvard’s network from off campus, use Virtual Private Network (VPN) software, known as AnyConnect, by going to vpn5.harvard.edu.vpn5.harvard.edu
Choose a Secure Password Choose a password that you can remember without having to write it down. Use at least nine characters. Mix upper and lower case letters, and include combinations of numbers and symbols. Do not use real words, names, dates, phone numbers, addresses, or personally identifiable information as part of your password.
Protect Your Password Never share your password. Never write down your password (e.g., on a sticky note), especially next to your computer. SPH IT will never ask you for your password. Moreover, no one affiliated with Harvard can legitimately ask you for your password until you leave the University.
Lock Your Computer When Away from Your Desk Set your screen saver to lock automatically after no more than thirty minutes of inactivity if not already set. Before leaving your office for an extended period, either shut down your computer or put it into sleep mode. Consider using a cable lock to secure your laptop.
Protect Confidential Papers 16 Promptly retrieve confidential documents at the photo copier, printer or fax machine. Keep confidential paper records in locked filing cabinets when not in use. If you work in an office area with confidential information, lock the doors when the office is unoccupied. Dispose of hard-copy High-Risk Confidential Information, or CDs containing HRCI, in an approved, locked shred bin.
Reporting HRCI Security Incidents Immediately report any loss or breach of HRCI to: Andrew Ross, Information Security Manager for SPH email@example.com SPH Helpdesk firstname.lastname@example.org
Harvard’s Information Security website: www.security.harvard.edu SPH Information Security: http://www.hsph.harvard.edu/administrative-offices/information- technology/hsph-it-policies/security-privacy-policies/index.html email@example.com@hsph.harvard.edu SPH IT Support: http://www.hsph.harvard.edu/administrative-offices/information- technology/index.html firstname.lastname@example.org Help and Resources
Please review and accept the University confidentiality agreement which is located under Self Service in PeopleSoft. Thank you for taking the time to complete the SPH Information Security Learning Module. Last Step