SPH Information Security Update

1. SPH Information Security Update March 16, 2010

2. Today�s Agenda Case Studies Types of Confidential Information High Risk Confidential Information (HRCI) Why We Are Focusing on This Obtaining and Storing HRCI Exchanging Confidential Files Encrypting Laptops Recent Security Developments What We Are Asking of You

3. Case Studies Data breach in February, 2008, costing Harvard over $1,000,000 10,000 victims were involved, requiring individual notification and fraud monitoring services Security consulting services were engaged by the University In 2008, the number of stolen records ranged between 4,200 � 113,000 per data breach In 2007, the mean cost of fraud per victim was $5,720 In 2009, the average organizational cost of a data breach was $6.7 million per incident. January 2010 - Boston Globe article reported �One million Massachusetts residents - or 1 in 6 people - have had their credit card numbers, medical records, or other personal information leaked or stolen over the past two years, according to records provided to the Globe by state officials.� The primary preventive measures taken after a breach are training and awareness education. Reputational harm to an organization can be substantial.

5. High Risk Confidential Information (HRCI) Certain categories of information are classified as High Risk, either because the exposure of this information can cause harm or because the information is specifically protected under law or under contract. Extra care must be taken to protect HRCI in both electronic and paper form. Improper access to or release of high-risk confidential information may be subject to legal reporting requirements.

6. Why We Are Focusing on This State Law CMR 201 17.00 sets forth regulations for anyone who uses personal information about Massachusetts residents Harvard Enterprise Information Security Policy (HEISP) University Mandates (Risk Management Committee: May 2009) Training Comprehensive Communications Laptop Encryption Finding HRCI Vulnerability Testing Network Requirements Remote Access Standard File Transfers Non-Administrative System Certification Managing Security and Practices University Contracts Non-disclosure agreements, etc. FERPA (Family Educational Rights and Privacy Act)

7. Obtaining High Risk Confidential Information You must obtain prior approval from the SPH/ University CIO to collect or work with HRCI or to contract with a vendor to collect or work with such information. Request for HRCI Form OGC Contract Rider

8. Storing High Risk Confidential Information High-Risk Confidential Information shall not exist outside of an approved system (e.g., PeopleSoft), and cannot be stored locally. This includes: cannot be stored on Individual user computers cannot be stored on USB key / flash drives cannot be stored on External hard drives All University-owned servers and user computers will be scanned annually for HRCI. We will deploying in the near future McAfee�s Data Loss Prevention(DLP) software to all PCs. Paper, and other non-electronic records containing HRCI must be kept in secure, locked containers when not in use: Use a key locker, or assigned and numbered keys. Store HRCI in a supervised room controlled by card access, and review the access logs.

9. Exchanging Confidential Files Do not include or attach confidential information in your email. All confidential information must be encrypted when sent across a network. We are offering an Accellion Secure File Transfer Server to send and receive files containing confidential information. http://accellion.sph.harvard.edu

10. Accellion: login screen

11. Accellion: exchanging confidential files

12. Encrypting Laptops: what and why? Encryption software encodes and password-protects the contents of your hard drive when your computer is not in use. The theft of a Harvard computer or portable storage device (e.g., USB key, external hard drive) must not put Confidential Information at risk of disclosure. Because University-owned laptops are particularly vulnerable to loss or theft, they must be encrypted.

13. Encrypting Laptops: when and how? April 30, 2010 Goal to encrypt all high profile department laptops June 1, 2010 Goal to encrypt all remaining laptops --- SPH IT purchased licenses of McAfee Endpoint Encryption software to encrypt all laptops, as well as all desktop computers used to process or store Confidential Information: Note: HRCI is not allowed to be stored on a laptop even if it is encrypted. Now we need your help to collect a list of all Harvard-owned laptops. Please got to http://www.hsph.harvard.edu/it/laptop-encryption and register.

14. Recent Security Developments Annual Certification for Staff On-line Training Course (EUREKA!) Harvard Confidentiality Agreement All Harvard owned PCs will be annually scanned for HRCI SPH IT has purchased McAfee DLP software to be installed on all PCs with our SPH image. We will be deploying it in the near future. New University Standard for Remote Access to HRCI will be forth coming and will most likely include the following Access to High Risk Confidential Information must be limited to those with a specific business, educational, or research need. Access rights must be updated when individuals change jobs. Computers used to access HRCI off campus must comply with additional software configuration requirements, and must use an encrypted network connection such as VPN.

15. What We Are Asking of You Staff to participate in Annual Certification On-Line Security Training Harvard Confidentiality Agreement Partner with us to foster security awareness and compliance Appropriate use of Confidential Information Accellion for exchanging confidential files Operators of systems not managed by SPH IT must self certify their system(s) is in compliance with University Policy Promptly report any security incidents Register your laptop online or contact the Helpdesk to schedule your laptop to be encrypted

16. Contact Information SPH Information Security helpdesk@hsph.harvard.edu Info_security@hsph.harvard.edu Andrew Ross 617.432.1279 aross@hsph.harvard.edu Questions?