Information Technology Services - nav image

2.8 Confidential Information on Harvard Computing Devices

Harvard Enterprise Security Policy:

Policy Excerpt
Harvard Confidential Information must be protected if it resides on a Harvard user’s computer or a portable storage device. The theft of a computer or portable storage device must not put Confidential Information at risk of disclosure. See also Section 1.1: Storing High-Risk Confidential Information, which prohibits storing high-risk confidential information on such computer or device.

All University owned laptops must be encrypted.

All University owned user computers and servers must be scanned annually to locate High Risk Confidential Information (HRCI)

HLS Policy:

HLS ITS strongly discourages storing HRCI on local media as the loss of such media will require HLS to disclose the loss as a data breach. Any data breach could severely damage the law schools finances and reputation.

HLS will encrypt all HLS owned and managed laptops and desktops. For more information regarding the HLS encryption policy please see the ‘Discussion’ Section below.

HLS ITS will work with your department to perform a scan of your network drives and departmental computers to find HRCI.

Approved Solution:

HRCI can be stored on your departmental drive if it does not need to be shared with other departments within HLS.

HRCI that needs to be shared with other groups in HLS needs to be shared via the M: drive.

HRCI that refers to you as an individual that you do not want others to access should be saved to your H: drive.

The preferred solution for full disk encryption for HLS is BitLocker for Windows 7 based computers. All other Operating Systems will be addressed on a case by case basis.

Discussion:

The University policy is a minimum requirement. HLS has chosen to exceed the minimum requirement for several reasons. The cost of a data breach is more than monetary. All members of the HLS community could be affected by a data breach including; Faculty, Staff, Students, Alumni, and Affiliates. The cost of protecting data is nominal compared to the negative affects a data breach could have on you or other members of the HLS community.

There is there an age limit on computers that will be encrypted. Only laptops up to 3 years old and desktops up to 5 years old will be encrypted. Older machines will be replaced. Only valid HLS computer account holders should access the computer after it has been encrypted.

An HLS owned and managed device is defined as: HLS devices managed by the HLS or Clinical Domains (law.harvard.edu or clinical.law.harvard.edu). HLS owned devices are defined as: devices that are purchased using HLS funds and fully supported by HLS ITS.

In the event of a lost or stolen computer you should contact HLS ITS and inform them of the loss. For more information see section 9.2.

Last modified: February 11, 2014

© 2014 The President and Fellows of Harvard College. All rights reserved.