When you request technical support

Please remember to request it by e-mailing or calling 5-9000, ithelp@harvard.edu

Even if you e-mail or speak directly to Paul Millet (Econ-embedded tech), please send an e-mail to ithelp as a way of assuring that a “ticket” gets created.

Data Security

Harvard Economics DepartmentUndergrad Program, 8.14.2104

Who am I?

Peter Brownpbrown@harvard.edu 617 496-4108Economics Department IT Manager

&

IT Security Officer

What does Economics IT Security Officer Do?

• Work to maintain departmental compliance with Harvard requirements

• Inform department users of security rules and best practices

• Liaison to HUIT Security Group• Assist researchers in obtaining IRB approvals• Provide or help to specify secure computing resources

for researchers• Liaison to HUIT, OGC, AD in the case of a suspected

data breach

We all have to think about data security…

Staff & Faculty & Students

… but data-security questions for staff might not be the same as those for faculty or grad students.

We are concerned about two basic types of data:

Administrative

Research

First, to understand Harvard’s rules, what is the IRB?

• The Institutional Review Board is an internal HU group responsible for designating whether data for a research project should be considered human-subjects data and, if so, assigns a security level to any given research dataset stored at Harvard

• Usually before attaining the data, researchers apply for a IRB designation (of security level 1-5 )

Who cares about Levels 1 and 5?

HU recognizes 5 levels of data sensitivity. Levels 1 and 5 do not commonly concern Econ staff:

• Level 1: public information (lowest level)• Level 5: extremely sensitive research or

medical data (highest level)

What is Level 2?

Disclosure of L2 info would not cause material harm, but HU has for some reason decided to keep it confidential. It might be:

• Unpublished research and intellectual property not in Level 3 or 4

• Research data classified as Level 2 by the IRB• Patent applications and materials• Drafts of research papers• Building plans and information about the physical plant

Some examples of L3?

• Harvard personnel records • Research data classified as Level 3 by the IRB• HUIDs associated with names or with any

other information that could identify individuals

• Institutional financial records (e.g., 33-digit billing codes), as opposed to individual financial records

More examples of Level 3?

• Student data not covered under Level 4, including non-directory student information and directory information about students who have requested a FERPA block*

• Info that could cause risk of material harm to individuals or HU if disclosed.

• Other personal information protected under state, federal and foreign privacy laws not classified as Level 4

Level 4

• Personally identifiable financial information (credit card #, bank account #, etc.)

• Passwords and Harvard PINs that can be used to access confidential information

• High Risk Confidential Information (HRCI) and research data classified as Level 4

• Info commonly used to establish identity that is protected by state, federal, or foreign privacy laws and regulations (SSNs, passport #, drivers license #, etc.)

More L4 definitions

• Info likely to cause serious harm to individuals or HU if disclosed

• Info about donors (who give money to HU)

• Individually identifiable genetic information that is not Level 5

• National security info (subject to specific government requirements)

• Personally identifiable medical information

Econ Staff are most commonly exposed to L3

• Student info (grades, reference letters, HUIDs, etc.)

• HR info• L3 research data• Staff and faculty HUID numbers combined

with other ID info• HU (not personal) financial info

And often enough to L4

• Individual financial info (usually faculty)• PINs and passwords• Passport numbers• Drivers license numbers• SSNs• Credit cards, bank accounts, etc.• Donors?

Where to keep L2 data?

H: drive or g.harvard.edu

In Econ, any info that could be private or sensitive or have any value to HU, should be kept on the H: drive or Harvard’s Google drives, rather than on the local disk drive.

Where to keep L3 data?

• Documents and spreadsheets containing student grades, HUIDs, L3 research data and reference letters may be stored on the H: drive or Harvard’s Google Drive (g.harvard.edu)

• L3 data, including reference letters, may be e-mailed but only in small quantities (one letter to one recipient, for example).

Econ Dept. Policy states…

No data related to economics department work or activity should be stored on the local disk of your computer. All info that is not L4 or above should be kept on the H: drive or on g.harvard.edu.

Where to keep L4 data?

The best way to handle this type of info, is not to have it. If you must keep them, do not keep them on the H: drive or g.harvard.edu. Acceptable alternatives:• Harvard SharePoint is approved for L4 data• Ironkey encrypted memory stick, kept in a

locked drawer when not in use• On paper, if kept in a secure location

You don’t have SharePoint, an IronKey, or a lockable drawer?

• SharePoint access and training– http://huit.harvard.edu/pages/sharepoint-

harvard-getting-started• Where to get an IronKey– ithelp@harvard.edu

• Where to request a lockable drawer or a safe– stuppard@fas.harvard.edu

So what was it you were gonna say about student data?

What is the Family Educational Rights and Privacy Act ("FERPA")?

• federal law gives students specific rights to control access to their education records

• student must consent to disclosure of information from her education record

• Anyone at Harvard with access to current and/or former students’ educational records must be aware of and adhere to FERPA.

What exceptions does FERPA permit?

Disclosure of “Common List”, or directory, info such as name, student residence, student phone number, ID photo, academic dept., DOB, etc.

Unless there is a FERPA “Block”

Block would have to have been requested by the student.

What the Block does

• Prevent disclosure that the student once attended or is currently enrolled in a Harvard School

• No directory information in any Harvard publication, including the phone directories and Commencement Book

• Remains in effect until the student officially authorizes its removal, even after graduation

What other disclosures does FERPA usually permit?

• Info related to certain types of crimes committed by the student (check with OGC first)

• educational records without a student's knowledge or consent for legitimate use by HU faculty or admin staff

• Educational records for other institutions where the student has applied for entrance

How to securely transmit reference letters for students

• https://econjobmarket.org/ (secure upload)• Accellion (encrypted) e-mail distribution:

http://huit.harvard.edu/pages/accellion-user-guide• Individual universities often have secure HR upload

sites• US mail, Fedex• Harvard e-mail is now considered permissible, in

small quantities.

More about SSNs and Credit Cards

• Whenever possible, securely dispose of files containing SSNs and credit card numbers

• It is acceptable, assuming L4 precautions are taken, to keep this info for the faculty you support, but you should never have files with large amounts of this type of data (SSNs or credit card or back account info; if you do, please review with Peter and/or Belynda asap)

Never e-mail SSN, Bank Account or Credit Card numbers

• Use the phone• Use Accellion• Use SharePoint (for regular intradepartmental

or approved intra-Harvard sharing)

Your Passwords

• Use “strong” passwordshttp://security.harvard.edu/faq/choosing-strong-passwords

• Never share your individual passwords, for sites that might have confidential or sensitive data, with anyone!

Faculty Passwords

• Faculty should not require you to know their passwords for personal logins to Harvard systems or any systems containing sensitive information

• Any faculty passwords you might know should NEVER be shared by you with anyone else

Scanning documents on Xerox Printers

• Harvard policy states that we should not be scanning documents to e-mail

• New printers, to be installed the end of May, 2014, will allow us to scan directly to the H: drive

Even now, with the current Xerox printers…

Economics Dept. policy states that you should never scan L3 data (or above) to e-mail

Another word about HUIDs

HUIDs should be handled with caution. Whenever possible, avoid sending or keeping documents with:• HUIDs• HUIDs associated with names• Many HUIDs in a single e-mail or file

What is the safest way to protect sensitive data?

Not to have any.

Please review any sensitive data you have on a regular basis, to make sure you really need it.

If you don’t need the info, delete it.

Again, Econ Dept. policy states

• No econ. Dept. related data stored on local computer (use H: drive if data is not L4 or L5)

• No scanning documents that are L3 or higher to e-mail

Questions?

• Harvard University takes data security very seriously

• You are responsible for following Harvard policies, and may be liable if policies are not followed

• If you are unsure, never hesitate to talk to Belynda Bady, Peter Brown or to contact ithelp@harvard.edu about your concerns.

Thank you!