Security & Privacy Policies

HSPH Information Security Policy

• Information Security and Privacy Policy
• HSPH Information Security Presentation, 2010 (PowerPoint)

HSPH Security Briefing

Data security at the institutional level has become increasingly important, and we would like to share a number of important updates on measures taken by HSPH and Harvard University.

In an effort to educate the community on responsibilities, policies, procedures and technology in place at HSPH, the Information Technology department hosted a security briefing for the community on March 16, 2010.

Presenters include:

• Taso Markatos, Chief for Information Technology
• Andrew Ross, HSPH Security Manager

View: Webcast
Download: Power Point (slides)

Security Resources

• SPH Information Security Learning Module
• Harvard Enterprise Security Policy
• University Security Mandates
• Research Data Security Policy
• LMA Research Portal
• Report Stolen or Lost Laptop, Desktop or Portable Computing Device
• Secure File Transfer (Accellion)
• Security Incident Response Policy (pin-enabled)
• Report a Security Incident (pin-enabled, coming soon…)
• Advisory for Travelers (includes policy on encrypting laptops)
• Network Take Down Policy
• SPH Information Security Learning Module

A. University Information

University information may be broadly classified into one of three categories:

1. Information that is generated publicly or is intended to be made public.
2. Information that is gathered or generated for the University’s internal use.
3. Confidential information pertaining to the University’s individual students, faculty and staff.

The information that employees generate or maintain in the course of their duties belongs not to them individually but to the University, which entrusts it to their custody. The custody of University information is the responsibility both of the custodian and his or her supervisors. Managers should adopt, announce and enforce safeguards and procedures to protect the confidentiality of such information. Everyone must protect the confidentiality of University information that is not intended to be made public. University staff may not use non-public University information for personal ends, nor obstruct its use for proper University purposes.

Particular care must be taken by supervisors and custodians with personally identifiable confidential information, such as a student’s financial aid, grades and academic evaluations; employee’s salaries and performance evaluations; and family data and medical records. Such information must be accorded the strictest safeguards, so that access is given only to those whose duties require it. In addition, disclosure of information pertaining to students is subject to the restrictions of the Family Educational Rights and Privacy Act (FERPA), a federal law.

Rules about the retention of University information can be found at the web site of the Records Management Office.