An Information Security Working Group has been organized to review issues of safekeeping and confidentiality of information resources, identify risks, raise consciousness in the community and, where appropriate, develop policy statements, advisories, and guidelines. The working group has representatives from almost all the schools and major central administration departments. The intention is to build consensus among these groups, promote common definitions, compile good practices and check lists in the form of an Information Security Handbook which will be published and updated as the need arises.
While the effort was initially intended to look at administrative computer systems and the electronic distribution of data to the desktop, it was felt that the security issues of paper files, library, and research data could not be excluded. Many of the security practices recommended in the handbook are already standard practice for paper documents; they need to be extended to electronic forms of information as well. Moreover, the integration of systems across mainframes, minicomputers, microcomputers and networks makes it impossible to separate many of the concerns by application type. Security issues must be considered across many environments and media, including paper, which are increasingly shared among a heterogeneous community of users. Many of the people involved in this working group and in the University at large have cross functional responsibility and must look at security issues across their entire organizations.
The committee also studied some policy statements from other universities - Columbia, Cornell, Pennsylvania State and companies such as IBM, Contel Federal Systems, California State Automobile Association. Newspapers, journals, and Educom and Cause resources were combed for articles on good security policy. Where appropriate, these statements were used as models for Harvard policy statements.
In order to obtain a broader understanding of the needs and concerns of the community, some senior faculty and administrators were interviewed. Their views were solicited on security issues as well as to whom and how the policy and handbook should be issued. There was general consensus that this policy must be issued by the highest possible level of University governance and distributed broadly in the community.
Further, since security needs change, this handbook is only an initial pass at Harvard's information security concerns. It does not include Voicemail and Fax services, which should be covered in a comprehensive document. The Security Working Group recommends that the University maintain a standing security committee to review, adjust, and recommend new policy and guidelines as necessary, at least once a year, as well as support the departments as they implement their own local information security plans.
Finally, it is recommended that the management of major departments and schools designate an individual to be responsible for information security implementation and provide appropriate support for that person. Schools and departments may request help from Internal Audit in evaluating security vulnerabilities and implementation plans. As with other standards and practices of the University, the Internal Audit Department will incorporate security issues in their on-going audit efforts. OIT will continue to coordinate the activity of maintaining the Security Handbook, facilitating the meeting of the security working group, holding seminars on security subjects, and publishing articles of interest on information security.
This handbook was compiled by Mildred Koss of the Technology Evaluation Group of OIT. Any questions or comments should be directed to her (617-495-4501). Phyllis Mitzman of the Planning and Support Division of OIT edited Version 1 of this document with great care. Version 2 of this document reflects changes suggested by many readers from the Harvard community and in particular Lewis Law, Richard Steen and other members of the FAS Computer Services staff.
- Subcommittee Membership Data Management Subcommittee members MLydia Cummings (5-2136) - OFS/HRM Victoria Johnson (5-9132) - OFS Mildred Koss (5-4501) - Technology Evaluation, OIT John Lichten (732-1015) - School of Public Health Paul Upson (5-4607) - Harvard Law School
- Legal Issues Subcommittee members Scott Bradner (5-3864) - OIT Dale Flecker (5-3724) - HUL Mildred Koss (5-4501) - Technology Evaluation, OIT Marianna Pierce (5-4277) - General Counsel's Office
- Networking Subcommittee members Gary Holmes (5-9521) - Network Services, OIT Mildred Koss (5-4501) -Technology Evaluation, OIT Robert Lewis (735-2000) - Beth Israel Hospital Maura Scanlon (5-8644) - Real Estate Marilyn Shesko (5-5467) - FAS
- Operations Subcommittee members Michael Barone (5-3641) - Internal Audit Department James Conway (5-0301) - University Development Office Kristie Ferriell (5-1877) - Division of Continuing Education John Hahnfeld (5-9212) - Ed School Stephen King (5-3389) - Information Services, OIT Mildred Koss (5-4501) - Technology Evaluation, OIT Robert Manocchia (732-1253) - HMS Scott Samenfeld (5-1344) - Kennedy School Russell Sanna (5-0970) - Design School
- Policy Subcommittee members Dale Flecker (5-3724) - HUL Stephen Hall (5-3240) - OIT Mildred Koss (5-4501) -Technology Evaluation, OIT Martin Liander (5-5224) - Governing Board Christopher Nugent (5-6600) - HBS
OVERVIEW OF THE HANDBOOK
The handbook has several objectives:
1. To outline a basic University Information Security Policy;
2. To encourage ethical and knowledgeable behavior in all who use or provide information resources;
3. To provide a guideline for protecting valuable information assets from theft, damage, and unauthorized access or change;
4. To raise community awareness to confidentiality and possible legal requirements in treatment of sensitive University information, as well as the possible liability for inappropriate uses of information resources.
Unless specifically stated as enforceable policy or law the recommendations are advisory guidelines and suggested good practices, which are intended to give support and guidance to the users, managers, and owners of information resources. In addition to an Information Security Policy Statement, the handbook contains sections with guidelines that are relevant to specific segments of the community and their environment.
The Personal Computing Section is intended to give guidance on protection for information resources to the PC user population including faculty, staff and students.
The section on Data Management is directed toward the individuals and departments responsible for University Information Systems either centrally or in school departments.
The Operations section concentrates on protection for medium to large data centers such as OIT or the school facilities such as the Business School, Ed School or FAS Computer Services.
The section on Access Control suggests ways to protect information resources in different environments and very much depends on balancing the degree of risk, the value of the resources and the cost of protection.
The networking and LAN sections suggest protective measures and appropriate usage for those who use or manage networks or LAN's.
Misuse of Computing Resources is intended to give guidance on appropriate steps for intervention, when the manager or staff member of a facility suspects that someone is misusing resources.
The Legal Issues Section describes some of the cases where there are legal requirements on information, its care and issues of privacy. These cases are not comprehensive and this is an area of ongoing change.
II. INFORMATION AND SECURITY POLICY STATEMENT Information resources are vital University assets in the same way buildings and equipment are assets. Any person or organization who uses or provides information resources has a responsibility to maintain and safeguard these assets. Because computing systems and networks are shared facilities, their misuse can affect others. Each individual student, staff, and faculty member in the Harvard community is expected to use these shared resources with consideration for others. Individuals are also expected to be informed and be responsible for protecting their own information resources in any environment, shared or stand alone. It is unacceptable for anyone to use information resources to violate any law or University policy or perform unethical academic or business acts.
In the University, a natural tension arises between protecting the confidentiality of information and encouraging the sharing of information and ideas. While the need for security and the vulnerability of information resources must be recognized, it is also important to assess the value of the resources and the need to share them. The effort and cost of providing protection must be balanced against the value or sensitivity of the resources.
The resources included in the scope of this security policy statement are information, data, in any medium or form such as printed paper, digital, video, and audio representations: the computing hardware and software systems which access and manipulate information: and the network systems which transport information. The resources may reside in many different settings and environments and may be used for any academic or administrative purpose. Legal constraints directly affect the use of some of these resources. University policy may also affect the use of information resources. The multiplicity of needs involving information uses, locations, and protection dictates that a broad spectrum of possible security procedures is necessary. Security risks must be evaluated, and appropriate procedures must be selected and implemented by the individuals responsible for such assets.
Providers of information resources are responsible for ensuring that appropriate efforts are expended to maintain the integrity, confidentiality, and availability of these resources by:
- Protecting the assets from destruction, unauthorized use, or unauthorized change - Ensuring that processes are in place for correcting damaged systems to enable continuation of operations with minimal disruption - Balancing the need for security with the need for minimizing the complexity of information access - Educating their community about its responsibilities for information and the disciplinary actions for inappropriate use of information resources
Ultimately the community depends on a well balanced security program and the ethical and knowledgeable behavior of all who use and provide information resources.
Individuals seeking interpretation of guidelines, or assistance in implementation of security practices may contact a member of the University Committee for Information Security, which is charged with maintaining this policy.
III. PERSONAL COMPUTING
Personal Computing Guidelines: Personal computers on the desktop have become a popular alternative for certain types of information processing. They require security measures and good practices in the same way large computer systems in Operational Computation Centers do. Many of the security practices of the Computation Centers are now the responsibility of an individual user, who must be informed and responsible for the way personal computing resources are accessed and used. For instance, PC users must understand that there is a diversity of requirements for confidentiality of information from that mandated by law, such as student records, through one's own data on the PC.
Purpose: This portion of the handbook is intended to support the community of PC users in protecting their own information assets. It contains suggestions for protecting the hardware from damage and theft and preventing unauthorized access to the applications and data which are available by use of the PC.
Scope: This guideline focuses on security needs for PCs, both stand alone or networked, and in some cases, repeats information that can be found in other sections of the Security Handbook. In all instances the level of security control and costs expended should be balanced by the risk and security exposure.
Following are definitions for some of the terms used in this section.
Virus: "A program that can infect other programs by modifying them to include a possibly evolved copy of itself" (1)
Worm: "A program that spreads copies of itself through network attached computers" (1)
Trojan Horse: "A program which has inserted instructions designed to do things that the user of the program did not intend to do" (1)
Checksum: A calculated value which is generated based on the contents of a field, record or file . The value can be regenerated at any time to determine if the contents of the field, record or file has been changed .
(1) Steve White, David Chess, Chengi Jimmy Kuo, "Coping with Computer Viruses and Related Problems", Proceedings: Second Annual Computer VIRUS Clinic (c) 1989
A. Hardware Security
The following are suggested measures to physically protect personal computer assets from theft, damage or unauthorized access.
1. Where possible, offices containing PCs and workstations should be lockable, and keys should be registered and monitored to ensure return if an individual terminates. Depending on the risk and value of the system, security measures may include installation of motion detection alarms or card readers on doors accessing these rooms.
2. Any equipment located in publicly accessible areas or rooms that cannot be locked should be fastened down by some physical means such as a cable lock system or enclosed in a lockable computer equipment unit or case. The equipment may have a loop through which a cable can be installed. Hardware security devices are available at accessory stores.
3. If the personal computer is configured with a hard disk on which data and software are stored, it too should be secured against access, tampering or removal.
4. If the personal computer is not configured with a hard disk, then the data and software used on the machine should be secured when not in use, e.g., locked in a cabinet, safe, desk, etc.
5. PCs or workstations and their disks, with critical and sensitive data stored on them or accessible through them should be further secured against unauthorized use even by someone who has legitimate access to the physical space. a) Some PCs have a lock to prevent the system from "booting up" or the keyboard from being used. b) Some PCs have a lock to prevent access to the interior of the machine. c) It is possible to buy an added power supply lock for some systems.
6. PCs should be clearly marked for ownership.
7. PCs and other equipment can be registered with the Harvard University Police.
8. PCs should be located away from hazards of the environment such as leaking water pipes. Some systems may require controlled temperature, humidity, etc., or they will not perform reliably.
9. Fireproof vaults are recommended for storage of critical media.
B. Access Security The following are guidelines and suggestions for using logical means, i.e. software, to prevent unauthorized access to data or functions on personal computer systems. This is extremely important in situations where confidentiality of information is required.
1. Software packages are available for PCs which are designed to restrict access to the system or files by checking for authorized user identification and passwords.
2. Good practices in selecting and managing passwords: a) They should have a length (where possible) of eight characters. b) Ideally, passwords should not be words found in a dictionary and should include one or more numeric characters. Six character passwords may suffice for non dictionary words. c) Passwords should not be capable of being readily guessed by someone acquainted with the user. For example, they should not be maiden names, or names of children, spouses, or pets. d) Passwords should under no circumstances be written or typed in any document, on a piece of scrap paper, or taped to a computer. e) Unencrypted passwords should not be included in any electronic mail message, but should be communicated directly between individuals. Telephone transmission of passwords may be a problem since it is difficult to verify the other party. f) Special care should be used in choosing passwords for applications with access to extraordinary system capabilities (e.g., the ability to read personal or restricted data, the ability to modify system software, etc). g) Periodic password change is a good practice.
3. Specific applications such as Data Base Management Packages generally come with fairly comprehensive password control capability. If sensitive or confidential information is maintained in these systems it is important to use this added layer of security
4. Periodically review overall access controls to determine weaknesses
C. Ensuring Data and Software Availability
With the increased dependence of individuals and departments on their information resources, continuous availability of computing assets are a concern and possible security vulnerability. The following are some protective measures.
1. In order to minimize interruption of work caused by equipment malfunction or malicious damage, vital records should be backed up in a regular process and stored offsite for safety.
2. Programs should also be backed up and stored offsite to assure continuity of processing, if they are inadvertently or purposely destroyed.
3. With "backed up" data and programs it will be possible to restore the PC system to some prior status and continue operating should some problem occur.
4. There are no known ways to make a computing system completely immune from damaging attacks or processing problems. Other good security practices that decrease the risk of information loss: a) Check data and software integrity by using such techniques as checksums on files, or comparison of current files against backup files b) Install fixes to known problems expeditiously
D. Confidentiality of Information
Information which resides on a PC, whose confidentiality is mandated by law or University policy, requires special care and best efforts to protect from illegal access. The necessary measures may be beyond the physical and logical protection described above.
1. Sensitive and confidential information may require encryption under certain conditions.
2. Printers used for sensitive and confidential information should be either in a well monitored place or locally attached to the PC.
3. Fixed disks: If sensitive files ever reside on a fixed disk, their contents may be compromised. Even if the fixed disk copies are deleted, the operating system just reallocates the space to the available storage pool; it does not write over the files. Commonly available utility programs permit the contents of space in the storage pool to be read and reassembled into files. Furthermore, when a file is updated and rewritten to disk, the usual process involves writing the new version to another area and deleting the old version only after the write is successful. The contents of the deleted old version are not overwritten. Users of confidential materials should have a utility program that overwrites files.
4. Floppy disks or cartridges: Users that store confidential materials on floppy disks should have a utility program that overwrites files or entire diskettes, cartridges. Reformatting a diskette does not suffice, since there are utilities which can undo a reformat. A truly floppy diskette can be cut in half, but the rigid diskettes are not amenable to this solution. When reusing a diskette with confidential items, one alternative is to delete all its files and then copy the largest available harmless file (i.e., an executable program) over and over on the diskette until it is full. The copies can then be deleted and the diskette reused safely.
E. Ethical and Legal Software Use (see Appendix A and the Section on Legal Issues )
1. Software is protected by copyright law. Unauthorized copying is a violation of this law.
2. Unauthorized copying of software may result in legal liabilities for the University, and may subject the individuals to disciplinary measures or legal liabilities.
3. Users should examine their PC software and understand and comply with license requirements. Users should also examine the possibilities for group site licenses, shareware and public domain software.
F. Viruses, Worms and Trojan Horses
As previously stated computer viruses and worms are self-propagating programs that can infect other programs by modifying them to include a copy of themselves. When the infected programs are executed, the virus/worm spreads itself to still other programs. Viruses and worms may destroy programs and data, they may use up resources such as fill memory, usurp computer cycles, etc. Trojan Horses can insert damaging instructions in any program. While viruses, worms and trojan horses are of particular concern in the networked and shared resources environments because of the scope of possible damage, they can also impede access to one's own personal computer. It is illegal, unethical and contrary to University policy to use PCs to generate viruses, worms, or any malicious devices to contaminate other information systems.
1. Introduction of viruses and other contaminants can occur through a variety of channels:
a) Software introduced into or used on the system by an outsider who had access to the system b) Software used at home on an infected system c) Software purchased from a vendor who has an infected production system d) Infected software from bulletin boards e) Software intentionally infected by a disgruntled employee
2. Viruses and worms can cause widespread damage by exploiting holes in system software. Fixes to this software should be made expeditiously.
3. In order to decrease the risk of viruses and limit their spread:
a) Check all new software before installing on the disk. It is risky to allow someone to place software that has not been tested or validated on the personal computer. b) Use software tools to detect and remove viruses c) Isolate immediately any contaminated system d) Keep master diskettes secure
G. Check List of Some Important Considerations for PC Users
1. Has the physical environment been reviewed for security: access control, fire hazards, humidity and heat?
2. Is the equipment marked with appropriate identification?
3. Should the equipment be bolted down or locked in some way?
4. Is there a maintenance contract on the equipment?
5. Have the critical data and programs been identified, and are they being backed up on a regular cycle?
6. Has the backup media been stored at a different site?
7. Is the restore process planned and tested?
8. Have alternative processing arrangements been made for data, programs or equipment that is temporarily unavailable?
9. Is any sensitive data kept on the system, and are passwords needed?
10. Are the passwords well constructed and well managed?
11. Is the software on the system a legitimate copy with an appropriate license?
12. Who has the right to add software to the system?
13. Is there virus detection and prevention software on the system?
14. Is software tested for viruses or other problems before being installed on the system?
15. Is training necessary to use software and hardware properly?
16. Are all the people who use a system well known?
17. Are there risks of damage, loss, or exposure for which insurance might be considered?
a) Loss of software and hardware through malicious or inadvertent destruction b) Loss of information, papers or files c) Vital records and program backups in case of destruction d) Disclosure and release of restricted information
H. Personal Computers on a Local Area Network (LAN)
Personal Computers on a local area network in a department have all the same security considerations and good practice requirements as stand alone computers, but with an added potential for seriously damaging other systems because of the shared resources. While the department LAN manager has responsibility for setting up and maintaining appropriate security procedures on the network, each individual is responsible for operating his/her own PC with ethical regard for others in the shared environment. The following are considerations and procedures that must be emphasized in a LAN environment:
1. Bulletin board and external system down loads on the network should be checked for problems.
2. Installing untested software that may contain a virus/worm can have serious consequences for other PCs and servers on the network. They can spread rapidly to other systems, by exploiting holes in system software or take advantage of vulnerabilities in security practices.
3. The choice of easily accessible passwords on one system can facilitate unauthorized use of documents and files on the LAN servers or other PCs.
4. The department/school LAN may have access to the High Speed Data Network extending the potential for damage to the national and international networks. Users who have access to the HSDN and LANs should review the section on Network Security and Acceptable Use.
5. In a LAN environment there will probably be data, software, and print servers with appropriate backup and restore processes. Individuals should be able to coordinate their backup and restore needs for files on the servers with the department/school LAN manager and depend on LAN services, if they exist, for maintaining computing availability in case of problems. Local PC files will still need to be backed up and protected by the individual user as in the stand alone mode of processing.
6. Securing access to services on a network often involves a layering of security controls which may include several different passwords. The department/school LAN manager will determine security practices in this case. The different types of access that may be needed are:
a) Access to the network b) Access to specific services or applications on the network c) Access based on certain privileges and functions within a service, such as a data base package
7. Users wishing to send confidential information over a network will probably need to use encryption/decryption services as well as authentication services to verify that the information is being delivered intact to the correct location.
8. Program copying, sharing and licensing issues: frequently there are shared programs on the software server (i.e., a single copy can make a program available to many people saving substantial amounts of space as well as license fees). Those who use these services have a responsibility to observe the licensing contract terms and not seek to bypass them. Some vendors are willing to allow licensing of copies controlled by concurrent use. The quota of concurrent software launches must be controlled per the number of licensed copies.
IV. DATA MANAGEMENT
Data Management Guidelines:
Information is a vital, sometimes intangible, University asset, which requires care and protection in the same way buildings and equipment must be cared for. Any facility that maintains institutional data is expected to use best efforts to ensure appropriate privacy and integrity of the information as well as availability to all who have been granted access. While recognizing the University's responsibility toward the security of its information, the procedures established to protect that information should achieve a balance with the efficient conduct of University business.
Purpose: To identify measures for the protection of information processed and stored by the University. This guideline is intended to heighten awareness to the sensitivity and importance of information, especially to the responsibility that accompanies access and exposure to data at the central and local distribution levels. Education in appropriate care of information at all levels of the University community is crucial.
Scope: This guideline applies to all information in any form (paper, film, electronic, etc.) owned by the University and used in the conduct of University functions and business. Since computerized data has the potential for broad access, rapid dissemination, and access by unseen users, it may need additional protection. The procedures should be followed by anyone dealing with or responsible for University information. Certain areas of the University that store and maintain institutional data may have additional guidelines for confidentiality or release of data governed by University policy, foundations, or state and federal policies.
A. Definition of Terms
1. Institutional data: data in any form, that is owned and used by the University to conduct its business, and which is captured, stored, maintained, and accessed in University systems.
2. Operational facility: any University office that maintains institutional data.
3. Operational computation facility: any University office that maintains computer hardware, software, and services for capturing, storing, maintaining, and accessing computerized institutional data.
4. Custodian: an administrator or designee, generally not a computer professional, who is responsible for institutional data. The custodian defines the data, ensures the data's accuracy and completeness, and establishes data use and protection requirements. The custodian is responsible for ensuring that there is appropriate education and training in the use and modification of this data.
5. Access and security administrator: an individual designated by a major University unit (e.g., department, school) who, together with the appropriate data custodian, coordinates requests from administrators, faculty, and staff within the unit for access to University information systems.
B. Specific Guidelines for Appropriate Practices and Care of Institutional Data in any Form
1. University information systems will contain only data relevant to fulfillment of the University's mission
2. Institutional data will be used solely for the legitimate functions of the University
3. Institutional data, regardless of who collects or maintains it, will be shared only among those faculty, staff, or student members who have a need for knowledge of such data
4. Safeguarding of institutional data will be the responsibility of each individual with knowledge of such data
5. Operational facilities will exercise due care to protect institutional data from unauthorized use, disclosure, alteration, or destruction, whether accidental or intentional. Individuals given access to institutional data must be appropriately instructed on proper use and care of such information.
6. Availability and access to institutional data and information services by faculty or staff members who have a need to know is vital to the conduct of University business. Best efforts will be made by operational facilities to ensure this availability and access.
7. Appropriate University procedures will be followed in reporting any breach of security or compromise of safeguards. (See Legal Issues Section X, and student handbooks)
8. Any faculty or staff member of the University engaging in unauthorized use, disclosure, alteration, or destruction of data in violation of this policy may be subject to disciplinary action, including possible dismissal. (See Sample Statement of staff responsibility in Section XII )
9. Applicable federal and state laws and University policies and procedures concerning storage, retention, use, release, communication, and destruction of data will be adhered to.
C. Additional Guidelines to Limit the Risks to Computerized Institutional Data
1. Processes should be in place to ensure and verify that the data on a computer has not been altered or destroyed illegally. This may imply the use of protective practices to cover many aspects of the computing system such as issuing user IDs and password control, as well as monitoring for attempted incursions. (See Operations section)
2. The custodian of a computerized system is responsible for specifying how the data is to be used and protected, taking into account the value of the data and the applicable legal requirements. A custodian might find it useful to classify data in a computer system as public, restricted, or confidential to help guide thinking on access privileges. Before granting access to data, the custodian must be satisfied that protection requirements have been implemented and that a need to know has been clearly demonstrated by the requester. The custodian may wish to formulate a written statement that outlines the responsibility of accessing such data. ( See Sample Statements Section)
3. The responsibility for granting access to distributed information in the schools and departments lies with the designated Access and Security Administrators, along with the data Custodians who understand the data and its intended use.
4. Best efforts will be made by custodians to ensure the accuracy and integrity of computerized institutional data. This implies that instruction is available in an on-going program on the correct definition, use, and contents of data fields. This also implies that techniques for checking the integrity of computer files (such as keeping a checksum) will normally be used in file maintenance.
a) Checksum: A calculated value which is generated based on the contents of a field, record or file . The value can be regenerated at any time to determine if the contents of the field, record or file has been changed .
D. Appendix C contains a list of resources and other material on security practices
V. OPERATIONS
Operations Guidelines: Harvard's computer systems are vital to the University's programs of instruction, research, and administration. Each Operational Computation Facility is responsible for ensuring, to the best of its ability, that its systems are secured from potential loss, damage, or unwarranted alteration, and that if such effects do occur, appropriate detection, monitoring, and restoration procedures are in place.
Purpose: All segments of the University use information systems, and it is important that the facilities be managed and used properly. These guidelines are intended to set forth good practices in computer use, operations, and management.
Scope: These guidelines are particularly applicable to large mainframes in operational computation facilities. They are in varying measure also applicable to the full range of computing systems from minicomputers to PCs. Again the procedures established to protect data and systems should balance the security concerns with the basic ability of the operation to efficiently perform its mission i.e., some recommendations may be too expensive, time consuming, or restrictive for academic and research computing centers. The goal of these practices is to assure the reliability and ongoing availability of the University's computer resources and information systems.
A. Accountability for Controls over Information Systems
1. Ensure that all personnel using the University's information resources are continuously aware of the importance of information assets and of their responsibilities toward protecting these assets
2. Assess the value or sensitivity of information in order to determine the protection, monitoring, and accountability required
3. Evaluate and specify control and protection requirements for information. Specify ownership. Limit physical and electronic access to information on a strict need to access basis. Authorize access based on this criteria.
4. The compliance of individuals should be monitored with established controls. The controls should provide the ability to trace violations or attempted violations of information security to individuals who may be held responsible.
5. Clearly define the responsibilities among owners of data, users, and MIS staff
B. Operating Systems Security
1. The security and performance of operating system software is critical to a production-application environment. Key vulnerabilities for operating systems software include loopholes, bugs, currency, and support. The systems architecture needs to be documented and periodically reviewed to ensure loopholes are known and then either closed or closely monitored. Operating systems' software problems need to be documented, prioritized, and corrected through a problem/change management program. The organization must consciously define policy on maintaining currency of different software platforms. Cross-coverage and cross-training of technical staff is strongly encouraged.
2. Operating system security policy must be derived primarily from the information security needs and mandates of the users. The technical staff builds and maintains the infrastructure to accomplish that mandate, deploying sound techniques and technologies and recommending same.
3. Fundamental to the security and performance of operating systems software is the person(s) directly responsible for individual products as well as an accountable manager/supervisor. Where possible (large staff) the manager/supervisor should be different from the applications and production managers.
C. Backup and Restoration of Software and Data
A major security concern for any operation is the ability to maintain computer system availability. If the data or software is destroyed inadvertently or maliciously on a system, there must be copies of the data and software available that can be restored to allow continuation of processing with a minimum of effort on the part of the user. This implies that data and software must be copied to a separate backup medium on a regular cycle for contingent use. The backup material should also be kept in a location separate from the original system to protect it from the same hazards. Backup and restoration have long been a regular practice in large data centers. They are equally important in stand alone PC environments. Each site should establish appropriate backup practices, identify appropriate backup locations, and inform its constituency accordingly.
In a networked environment it is also a major concern to maintain connectivity to the computation center by arranging for use of alternate media and/or paths for communicating if a problem arises.
1. Backup:
a) Applications software should be copied to a separate backup medium as new applications are added to or on a daily basis, depending on site requirements.
b) Systems software should be copied weekly and as major changes are made to system software.
c) Data file copies should be created (if not already available) prior to any batch updating or daily before interactive updating. This may need to be done more frequently depending on the number and importance of transactions.
d) The number of backup files and the rotation cycles should be determined as part of a system design.
e) Backup materials should be stored in off-site storage with:
(1) Environmental control: safe from vandals; temperature and humidity regulated as media manufacturer recommends. 2) Physical access: ability to access backup files as needed (24 hours/day).
f) Rotation of back-up files: for example, most current backups secured off-site; next current at secondary location; next current on-site.
2. Restoration:
a) Continued compatibility requires that the backup files can be read by system hardware and software and applications software.
b) Media degeneration implies that files should be copied to fresh media as the manufacturer recommends (for example, every two years for tape media).
3. Operations: the following are some steps to include in the backup and restoration processes to assure that the correct files will be available when needed:
a) Appropriate data center procedures for creating a back-up include such items as: 1) Timing (files closed) 2) Verifying good end-of-job 3) Logging backup media appropriately
b) Appropriate data center procedures for restoring files include such items as: (1) Timing (restore is necessary and appropriate) (2) Verifying good end-of-job (3) Proper selection of data being restored
c) Appropriate data center procedures for escalation in case of problems should be in place, i.e., anomalies while back-up or restore are taking place.
D. Vital Records Planning
For major University applications, departments are responsible for implementing archival and retention schedules (Vital Records Plans) as determined by the application custodian(s). Steps required to implement a Vital Records Plan include:
1. Identify all data files within a system
2. Determine the custodian of each file
3. Establish necessary back-up frequency of a file based on custodian input and frequency of update
4. Establish retention for each back-up in conjunction with custodian after determination of state, federal, and institutional requirements, for example:
a) Daily = 10 generations b) Weekly = 4 generations c) Monthly = 12 generations d) Annual = 7 generations
5. Consider automation of the vital records system, according to the size of the back-up library
6. Assure that all back-up media is viable for length of retention; establish procedures to copy back-ups to fresh media as necessary
E. Risk Assessment
It is important for users to understand the value of their systems and data to their ongoing operations. A survey might be prepared to help them understand their critical needs (see sample questionnaire in Appendix B and Information Technology Security Questionnaire in Appendix C))
1. Users should know how they would manage if a given system or data were not available or destroyed. What would be the effect if:
a) Required systems were not functioning for a period b) Required systems were destroyed c) Information was read by an unauthorized user d) Information was modified without evidence e) Unauthorized data was added
2. Once they understand critical systems and data, users need to evaluate their risks and have an appropriate plan of action for the most critical ongoing operations.
F. Disaster Recovery Plan (DRP) for Operational Computation Facility Operational computation facilities are responsible for developing a plan, making arrangements, and then testing procedures to resume normal operations within a defined period of the occurrence of a natural disaster or human act of destruction. The following are items for consideration:
1. Critical applications: the major clients and users of the computation facility need to be inventoried and updated annually. Each application needs to be assessed from a risk perspective. How many days before normal operations must resume? Can a manual procedure supplant the automated system for a period of time? How mission critical is this use of the computation facility? Is documentation for the critical applications up-to-date? Are back-up personnel support resources identified?
2. Facilities: disaster recovery alternatives must include resuming operations at a hot site, cold site or sister location. A hot site is one that is kept in a state of readiness for operations at all times and is the most expensive alternative. A cold site is one that is made ready for operations when a disaster occurs. A sister location is one similar to the site in use that can provide resources if a disaster occurs. This is generally a mutually beneficial agreement. The particular type of site chosen should be the result of a cost benefit analysis. There are three or four major companies providing or arranging these services today. A key concept to define in the DRP is a command center. Where will the recovery center be? How will it be organized? Are there any employment contract considerations? One important area often overlooked is data communications. A disaster recovery plan should include a check of the network integrity as well as identify alternate connectivity if there is a problem. The telecommunication carriers are an integral part of the recovery, as are computer vendors.
3. Organization: the disaster recovery plan for the computation facility should be part of a full business recovery plan. More than likely, a disaster will affect more than the facility. In all dimensions of this plan, a chain of command must be clearly defined. Roles and responsibilities of computer personnel, business operations personnel, and vendor personnel must be outlined. Both the business recovery plan and computer disaster recovery plans should be stored off-site and accessible potentially by an independent party.
4. Testing: an annual walk-through or fire drill of the DRP needs to be performed. Different cases or segments ought to be tested. The documentation ought to be updated as needed.
5. Financial: up to one percent of the annual computation facility budget should be spent on disaster recovery. This will vary according to criticality, facilities, organization, and testing requirements. The Office for Information Technology provides University consultation on disaster recovery strategy and plans.
G. Data Integrity (see section on Data Management)
1. There should be processes in place to ensure that data has not been altered or destroyed illegally. For operational computation facilities this may imply the use of an umbrella security package to cover many aspects of the computing system, including password control and monitoring for attempted incursions.
2. Ensuring data integrity may require using such techniques as checksums on files or comparison of current files against backup files.
a) Checksum: A calculated value which is generated based on the contents of a field, record or file . The value can be regenerated at any time to determine if the contents of the field, record or file has been changed .
H. Systems/Applications Development
Following are some standard steps in applications development. Each stage should contain an evaluation of the potential security risks of the system and appropriate measures of protection. (See sample survey and departmental policy statement in Appendix B) While these development steps are most critical to large University applications, they apply in varying degree to smaller applications. Ultimately, the development of robust and tamper-proof systems is a major goal for any security policy, since they assure reliability and access to the University's information systems.
1. Initial system definition:
a) Statement of of needs, goals and objectives b) Preliminary design: (1) estimates of volumes of data and transactions (2) priorities of development and processing (3) project tasks
c) Developers' responsibilities d) Users' responsibilities e) Owners' responsibilities f) User approval process g) Cost benefit analysis h) Selection of an applications development methodology and standards
2. Design:
a) Functional requirements and modules b) Data requirements c) Interfaces, data flows d) Operating, audit, security, control requirements e) Testing and acceptance strategy f) System and application hardware/software requirements g) Identification of application/data base tools appropriate to the needs of the project h) Initial prototyping where possible
3. Development:
a) Detailed functional module design and prototyping
(1) Prototyping helps users critique and understand function designs
b) Implementing and testing in a modular mode with users
c) Load and validation of any existing data
d) Test of security, audit, control functions
e) Test of backup, restoration capability
f) Software and data documentation (on line, where appropriate)
g) Documentation of functions and operations procedures
h) Training
i) Acceptance by responsible owners, administrators, and users
4. Training and support:
a) Users and user groups
b) Administrators
c) Access control, locally and distributed
d) Operators
5. Maintenance:
a) Correction of errors
b) External and internal changes in requirements
c) Change management process
6. Enhancement:
a) New functions and changes in requirements follow steps 1, 2, 3, 4
I. Auditability
1. Changes and updates to systems and data must be traceable to accountable individuals and source documents.
2. It may be necessary to maintain a log of processes that is generated whenever data is created, accessed, duplicated, destroyed, or moved.
J. Insurance: the following are some items to be evaluated for risk of damage or exposure and possibly insured against loss:
1. Vital records backup safety
2. Software and hardware damage including: hardware movement or changes: malicious or inadvertent destruction
3. Disclosure and release of restricted information by employees
4. Site damage, air conditioning breakdown, power failure
5. Loss of information or files
6. Loss of valuable papers
7. Dishonest employees
VI. Access Control
Access control is such a critical aspect of the security picture it is being included as a separate section, although much of this information may be found under other headings, particularly Personal Computing.
Access Guidelines: Unauthorized access and misuse of data, software, and computers threatens the University's ability to obtain information vital to its ongoing operation. This is true of misuse of information in any medium including paper, digital, video and audio. Any facility that maintains institutional information is responsible for developing procedures to deny unauthorized access and assure appropriate use to the best of its ability.
Purpose: This policy statement is intended to give guidance on good practices in access control to all who are responsible for assuring information access and resource availability.
Scope: This guideline is applicable in varying degree to the full range of information access, including paper and paper files, data, software, and computers. In all instances the level of security control and costs expended must be balanced by the risk and security exposure.
A. Responsibility for Access Security Department heads and heads of administrative units are responsible for assuring that procedures are in place for maintaining access security, including education of their constituency in these procedures.
B. Physical Security The following steps are proposed guidelines for physical security of information assets at the building, computer facility, and individual workstation levels.
1. Building level security: because of the value of the systems and significant security risks, buildings housing institutional information resources can be secured through a combination of alarm systems, limiting access through designated entrances outside of normal business hours, and posting guards and sign in procedures to ensure access to authorized personnel and students only. Motion sensors connected to central alarm boxes can be installed in vulnerable rooms, as well as alarms at the building entrances. With such a system doors would be kept locked, with keys controlled appropriately
2. Computer facility level security:
a) Computing facilities can be secured when not open for business through installation of motion detection based alarm systems. These should connect to a central alarm box monitored by a security guard.
b) Rooms containing key resources such as mainframe, minis, and LAN file-servers should be locked, and keys should be available to authorized personnel only.
c) When keys are distributed they should be registered and tracked so that their return can be ensured when people terminate their relationship with the school.
d) Facilities should be staffed to ensure that terminals, PCs and other equipment located in publicly accessible areas are not easily taken from the facility and that users cannot tamper with the equipment. Students and others allowed to use the equipment should be required to get permission from authorized management to attach their own equipment to computer center resources.
e) Data center access - other measures: (1) An electric controlled entry mechanism may be installed to help screen for authorized access (2) May have a secure area for proprietary forms and output (3) May have a fireproof vault for critical application media such as tapes
f) Multi-user computer systems and workstations within a work group should be located in a secure area to which access is carefully restricted. Only persons who have authorized business with the computer equipment or its system console should be allowed unaccompanied access to the physical space housing the equipment.
g) Desktop systems - Workstation and PC (see section on Personal Computing)
3. Environmental problems: some systems may require controlled temperature, humidity, etc., or they will not perform reliably
4. Fire: fireproof vaults are recommended for storage of critical media
C. Logical Security
In many instances security should be above and beyond the physical mechanisms and should specifically limit use of the computer to certain authorized users and functions. Logical security measures, generally entailing software, may provide another level of protection.
1. Multi-user computer systems:
a) Multi-user computing systems may need the services of an umbrella security package (such as ACF2 on the IBM mainframe) to provide a comprehensive protection approach. Such packages also require the designation of an access and security administrator whose responsibilities include monitoring the diagnostics for password abuse, attempted incursions, etc.
b) If the multi-user computer system is accessible over a network or via dial-up (see Network Security - Section VII), access could be monitored, if necessary, and logged so that unauthorized access or attempts to access can be quickly identified, prevented, and in some cases, reported to the proper authorities.
c) Automatic log out of any terminal that is not used for some specified period is suggested to further control unauthorized access.
2. Passwords (similar to recommendations in section on Personal Computing):
a) Access to a multi-user computer system should be governed by passwords with a minimum length (where possible) of eight characters.
b) Ideally, passwords should not be words found in a dictionary and should include one or more numeric characters.
c) Passwords should not be capable of being readily guessed by someone acquainted with the user. For example, they should not be maiden names or names of children, spouses, or pets.
d) Passwords should under no circumstances be written or typed in any document, on a piece of scrap paper, or taped to a computer terminal.
e) Unencrypted passwords should not be included in any electronic mail message, but should be communicated directly between individuals. Telephone transmission of passwords may be a problem since it may be difficult to verify the other party.
f) Accounts that give access to extraordinary system capabilities (e.g., the ability to read data belonging to others, the ability to modify system software, etc) should be protected with more than one password and the passwords should be selected with special care.
g) Periodic password change is a good practice.
D. Viruses and Worms
Viruses and worms are of particular concern in the networked, shared computer resources environments.
Computer viruses and worms are self-propagating programs that can infect other programs by modifying them to include a copy of themselves. When the infected programs are executed, the virus/worm may spread itself to still other programs. They may then perform further malicious damage such as changing data/programs, usurping computer cycles or clogging the networks. It is illegal, unethical and against University policy to use University systems to generate viruses, worms, or any malicious devices that contaminate other information systems, computers or networks.
1. Viruses and worms can spread rapidly in a network or computing system and cause widespread damage without anyone intending them to. They often spread by exploiting holes in system software or taking advantage of vulnerabilities in security practices.
2. There are no known ways to make a general computing system completely immune from viral attacks. Good security practices to decrease the risk of damage include:
a) Keep good backups of critical data and programs b) Check data and software integrity by using such techniques as checksums on files or comparison of current files against backup files c) Install fixes to known system problems as expeditiously as possible d) Periodically review overall controls to determine weaknesses e) Use access control facilities to limit access to information by users, consistent with their job duties and management policies
3. Introduction of viruses can occur through a variety of channels: a) Software introduced in or used on the system by an outsider who had access to the system b) Software purchased from a vendor who has an infected production system c) Infected software from bulletin boards d) Software intentionally infected by a disgruntled employee
4. Decreasing the risk of viruses and limiting spread, particularly from PCs (see recommendations in the section on Personal Computing).
VII. NETWORK SECURITY POLICY AND ACCEPTABLE USE
Network Security Guidelines:
Harvard's data networks and their availability are vital to the University's programs of instruction, research and administration. They can provide connectivity to resources throughout the University, as well as to national and international networks. Each participant in this environment is responsible for using this resource appropriately, protecting it and not infringing on any other individual's ability to use it legitimately. Users should practice the same legal and ethical principles for networks as for personal computing.
Purpose: These guidelines are intended to provide information and heighten awareness about good practices in network use. Since broad segments of the University share these networks and may be dependent on their reliable and secure functioning, bad computer/network practices have the potential to impact a very large community.
Scope: This policy is intended to cover use of the campus High Speed Data Network (HSDN), local area networks (LANs) connected to the HSDN and the national and international networks.
A. Purpose of the Harvard University Networks The purpose of the Harvard University Networks (HUN) is to support the research, education, and administration needs of the various constituent schools, departments, and offices of Harvard and other academic institutions by providing access to unique resources and the opportunity for collaborative work.
B. Acceptable Use Policy The following statement is based on the interim NSFNET acceptable use policy, since Harvard University Networks' (HUN) acceptable use needs closely match those of NSFNET. The HUN designation for this document includes the backbone and all connected department local area networks.
The various middle level networks, which may have other requirements for their use, may wish to formulate additional use policies for traffic that will traverse their local area networks.
1. All use must be consistent with the purposes of the HUN.
2. The intent of the use policy is to make clear those cases that are consistent with the purposes of the HUN, not to exhaustively enumerate all such uses.
3. The Harvard University Network Operations Center (NOC) may at times make determinations that particular uses are impacting the operation of the HUN and take appropriate action to curtail them. These determinations and actions will first be escalated through the normal management processes and then, as necessary, reported to and reviewed by the HSDN Technical Committee, made up of representatives of the major user groups.
4. The Harvard University Network Operations Center (NOC) may at times make assessments that particular uses are or are not consistent with the purpose of the HUN. Such assessments will be escalated through the normal management processes and then reviewed with the HSDN Technical Committee as well as the Security Working Group. A joint determination will be made and reported to the user community. If a determination cannot be made, the issue will be raised to other appropriate University committees or offices, which also address policy questions.
5. The managers of local area networks together with their department/school administration may at times make determinations that particular uses are or are not consistent with the purpose of their particular LAN and inform their constituency of such decisions.
6. Use of the HUN for a project that is part of or supports a research or instructional activity for Harvard and approved by Harvard is acceptable, even if any or all parties to the use are located or employed elsewhere. For example, interaction between a Harvard research activity and an industrial affiliate is acceptable for Harvard approved project.
7. Use of the HUN for commercial activities by for-profit institutions is generally not acceptable. VIII. HIGH SPEED DATA NETWORK SECURITY AND MANAGEMENT Security is one of the major concerns in modern data networks. Within the overall heading of security, there are a number of specific problem areas. They are: unintended release of information including passwords, unintended access to data, and unauthorized modification of data. This section includes a description of the HSDN design for security, reliability and availability and some measures that are used to limit the possibility of security breaches. A. University High Speed Data Network (HSDN) Design and Operational Security Requirements (i.e., backbone security design criteria) 1. Fiber optic facilities are used whenever possible. Fiber is the most promising medium for future expansion and offers the best protection against unauthorized access, i.e., taps. 2. In order to protect the privacy of network users, the design of the backbone system and lan connections provides for isolating the traffic of the various networks from each other. The interface of lans to the HSDN is at the node sites and not at the user end sites. Thus a tap into a lan will yield only access to that lan's traffic, not the traffic of the HSDN or other lans. 3. The system is designed such that if one leg of the network fails or is isolated, it will not affect users on other legs. 4. In order to reduce the exposure of the network and to simplify trouble isolation, HSDN equipment is located in a limited number of sites. 5. The NOC operational machines are configured to create a robust environment, with each machine restricted to a limited number of functions. This configuration ensures that individual hardware or software failures will have minimal impact; it also reduces the cost of providing redundant machines. 6. HSDN equipment at remote sites is in locked cabinets accessible only to NOC staff. The cabinets are placed in a secure area. 7. The Network Operations Center is securely located with access limited to NOC staff. There are alternate routing possibilities (both media and route) from the NOC to the campus network.| 8. In order to prevent a power failure at a centralized location from impacting other building networks, power backup will be provided at the HSDN node locations. B. Operation Responsibilities of the Network Operation Center The following are activities that are performed by the NOC staff. 1. Installation/upgrades and coordination of networks: a) Identify the administrative and technical contact for each lan connected to the HSDN b) Maintain central network addresses as required| c) Coordinate all network activity with network contacts| d) Answer questions on the status of the HSDN and the external networks 2. Monitoring/diagnosis requirements:| a) Centralized monitoring of the backbone network to the external network interfaces and the network-to-building LAN interfaces to: (1) detect errors (2) provide information for capacity planning (3) diagnose and repair data transport infrastructure as required b) Optional monitoring of: 1) building LAN core hardware 2) building LAN operating system (3) service machines (4) individual subscriber links c) Performance management and reporting: (1) track uptime and causes of outages (2) traffic reporting and analysis (3) generate trouble tickets to track problems 4) track repairs and close tickets| d) Software management - best efforts to provide: (1) open list notification of identified software holes (2) open list notification of known viruses (3) limited distribution of software fixes| e) Backup and recovery: (1) machine backup (alternate location) for essential NOC services (2) backup procedures for all operations data bases (3) fiber support plan for restoration, including fiber replacement if necessary C. Logical Security Because the networks make it possible to access many different resources remotely, each having its own security requirements, gaining access to services on a network or a computer on the network often involves a layering of logical security controls. The following are some practices that will help to reduce the possibilities for illegal incursion and breach of privacy on the network 1. Passwords: secure and well formed passwords (see sections on Personal Computing, Operations and Access Control), which allow appropriate access to services available on a network, are critical to the ongoing productivity of the network. The following passwords may be needed: a) User identification to access the network or computer b) User identification to access specific services or applications on the network or computer c) User identification to obtain certain privileges and functions within a service 2. User Authentication There is potential for a security breach if users' passwords are sent over the network in such a form that anyone with access to the physical network can intercept them and reuse them. With the vast expansion of data networks in scientific research and office administration, it is almost impossible to completely protect the physical network. Since passwords are the basic way that a user is authenticated by a network service provider (i.e. a time shared computer), the potential for passwords being captured from the network is a major concern. a) There are user authentication systems, which are designed to help users avoid sending unencrypted passwords over the network . Even if someone were to capture information from the physical network, he/she could not extract the user's password. b) In order to assure legitimate connectivity, the authentication system identifies the user to a service and a service to the user. This ensures that no one can masquerade as a service computer to capture data from the unwary. c) KERBEROS is a user authentication system. It has the limitation that it is based on the Data Encryption Standard (DES) which may not be exported internationally. d) The KERBEROS model uses a trusted server computer that is kept physically secure by the network management organization. Computers ranging from PCs to mainframes send authentication requests to the server. All communication with the server is encrypted using keys specific to each computer and operation within that computer. All authentication is done by the server, which sends the service computer a ticket for that user to use a specific service. Note that KERBEROS is not a user authorization system. It is still up to the service computer to decide if the specific user is authorized to perform the operation that he/she has requested by checking the password . e) The KERBEROS authentication option is included in the monthly subscription fee to the campus HSDN. 3. Data Encryption Physical access to the network can also allow someone to capture sensitive data sent over it. To protect certain data from being released inappropriately it should be encrypted before transmission. Encryption is translation of data into a secret code reversible (decrypted) only by a legitimate user with the required key. However it should be noted that data encryption is a compute intensive process and should be used only as necessary. a) Encryption can limit disclosure of sensitive information, but distribution of encryption keys can be a burden and the data may be compromised if key distribution is not handled appropriately. b) An encryption/decryption key may be distributed via a user authentication system. KERBEROS incorporates a mechanism to create and distribute encryption keys. The keys are only used once and are distributed in an encrypted form. c) When a program provides inadequate security or extra protection is needed for some data or documents, an encryption/decryption program may be a useful tool. (1) The best of these programs reside in memory permanently. They decrypt the information only as it is read from the disk and encrypt it before writing to disk. (2) Programs that decrypt an entire file prior to use, and re-encrypt it after use are a problem because of the excessive computation being performed. d) Printing encrypted files may also present problems: if files to be printed are spooled for a network printer, the contents can potentially be disclosed because the file will have been decrypted and written to disk before printing. 4. Checksum a) Another form of protection in network transmission is the use of a checksum on a particular file in order to detect unauthorized modification of data. b) The checksum is a calculated value which is generated based on the contents of fields, records or the whole file. The value is then regenerated after transmission to determine if the contents of the fields, records or file have been altered
IX. LOCAL AREA NETWORK SECURITY AND MANAGEMENT
This section is intended to provide guidance to those who have responsibility for installing, maintaining and managing local area networks. Many of the policies and guidelines applicable to the HSDN are also applicable to LANs.
A. Responsibilities
LAN managers have responsibility for educating their user community in appropriate uses of the LAN and helping them to understand the hierarchy of responsibilities in an integrated environment.
B. Hardware Security
1. Wiring guidelines should follow the standards set by the NOC.
2. Network servers should use standard, widely available components to ensure that hardware can be replaced easily. When 10-50 people depend on the availability of a server for access to their documents and data, ease of replacing components is crucial.
3. Where large numbers of people depend on a single machine, or uninterrupted access to its contents, it may be worthwhile to have redundant hardware.
4. To facilitate the ability of a server to shut down gracefully after a power failure, an uninterruptible power supply may be important.
C. LAN Security
1. Most LAN programs offer some form of password protection for LAN resources. Passwords are the main defense against deliberate damage, disclosure, or misuse of documents and data.
D. Information and Software Security
1. Backups: Servers, which may hold software, data or even backup material, for the LAN need to be backed up themselves. It is recommended that backup of servers be scheduled for hours when there are likely to be few users logged on. Since network servers are generally run without an operator, they need backup procedures that do not require operator intervention, i.e., the backup medium needs sufficient capacity to hold all the files to be backed up at any one time.
2. Removable media: documents or data that do not need to be accessible continuously can be protected by storing them on removable media. Even if a machine is on a network, materials kept on diskette or on a local removable cartridge disk (e.g.,a Bernoulli Box) will not be accessible to other network users. Such files can be shared by providing others with a copy or the original. It is important to make regular backups of such items, since it is possible for a diskette or disk cartridge to become unreadable. Such media should be locked up in the same way sensitive paper documents should be secured.
3. Printing: Each time the contents of a file are queued for printing on a network server, they are actually copied to its fixed disk, and spooled off when the printer is available. After printing the file is deleted, again without overwriting. When a high level of confidentiality is needed in a network environment, the files should never be placed on a fixed disk and should be printed only on a locally attached printer.
4. Data base security: LAN program passwords and the resources to which they provide access may be adequate for sharing documents and data collections like mailing lists, but they rarely provide a sufficient level of granularity (i.e. specification of access rights down to the field and function level) for more complex data bases with confidential contents. The typical LAN program allows control of access to subdirectories but does not control access at the record or field level of a data base. When security is needed at this level, it must be provided by the data base program itself. A particular data base program may provide only a subset of the needed features. The granularity of security should be an important consideration in selecting a data base program to be used for managing confidential information. The ideal data base program would allow the data base administrator to specify, by individual, who could access each record and each field, and in what way. Particular functions would be restricted to certain users, for example:
a) creation, deletion, and reorganization of existing files b) addition, deletion, and global changes for records c) changing existing records, d) capability to see the contents of some fields but not change them
e) capability to see certain fields or records only
5. Software installation: the installation of new software on a server, or new versions of existing software, always carries some risks, including the potential for crashing the server or its fixed disk. Problems to watch for when considering installing a new package on a server are:
a) use of physical I/O to disk or printer, bypassing the operating system b) hardwired disk drive or directory for program startup c) storing configuration information in one of the executable files d) "Programmed in" name and location of user configuration file e) conflicts with "hot keys" for network software f) memory requirements that exceed memory available after operating system and LAN drivers are loaded g) unnecessarily strong locks on open files, limiting or preventing sharing h) failure to close printer files with an end-of-file character i) If the new software is the LAN program that controls the server, there are extra risks to consider. A new version of the program on the server may require that all workstations accessing that server also switch to the new version. A new version may have errors that create openings for security breaches, or it may have new code to correct security problems present in the previous version.
6. Program copying, sharing and licensing issues: placing shared programs on a network server can save substantial amounts of disk space since a single copy can make a program available to many people. The LAN manager should ensure that program licensing terms are met and that the users are fully aware of license restrictions. Otherwise, the manager and the University are potentially legally liable if users violate the restrictions.
a) Some programs require that each user own a copy. If such a program is installed on the network, then a separate copy must be purchased for each user, or passwords must be set up in such a way that people who do not own a copy cannot access the server's copy. Note that you do not have to install every copy, but you should be able to prove that you own a copy for each user.
b) An increasing number of vendors are willing to allow licensing of copies controlled by concurrent use. The quota for the concurrent launches of a single user copy must be controlled and guaranteed by independent launch control software. For example, with 10 licensed copies of an application on a network of 30 microcomputers, the software would allow the first 10 launches from any of the 30 computers but would deny an 11th launch until one of the initial 10 users stopped using the application.
c) Some programs are sold on a per server basis: anyone with privileges on a particular server can use the program simultaneously. However, if users are divided up among two or more servers, a copy must be purchased for each server.
d) Occasionally, it is possible to buy a campus-wide license for a program, permitting unlimited copies to be made for use within the University.
e) The use of software at home may depend on whether the license is for the user or a specific machine. X. MISUSE OF COMPUTING RESOURCES
As stated in the introduction, Harvard's computing resources (systems and networks) are used for a variety of purposes, from the academic - instructional and research - to the administrative. In the University setting, a natural tension arises between protecting the privacy of information and encouraging the sharing of information and ideas. Moreover, because the computing systems and networks are shared resources, their misuse can affect other users, thus creating an additional tension between the desire for individual privacy and the need for overall security and resource availability. Also, given the current limitations for ensuring complete security of data, the University can not guarantee absolute privacy of the information stored on computers and in particular public timesharing and/or network accessible computers.
Mindful of these competing interests and limitations, and recognizing the need to support system and network managers as they perform their jobs, the University has outlined the following procedures in the case of suspected misuse of computing resources. Each school and major department should establish specific procedures appropriate to its own environment and user community. Each user should be informed of his/her responsibility not to misuse information resources, of the sanctions for misuse, and of the limitations on privacy .
Misuse of computing resources may take many forms, such as unauthorized access to files or data, unauthorized modification of files or data, or use of a facility for unauthorized purposes. The procedures as developed should in no way restrict a system manager's authority to stop runaway processes.
Misuse of computing resources may be treated like any other misuse of property or resources, and may subject the misuser to sanctions including (but not limited to) restrictions on access in the future. For example, students are referred to their student handbooks, which may spell out expectations and sanctions with more specificity (e.g., Harvard College Handbook for Students).
The following are procedures for handling and reporting misuse of computing systems.
A. System and Network Operator/ Manager Actions Misuse may have various levels of severity, which should influence the degree and formality of the response. Minor problems should be handled by the individual computing facility and more severe problems according to the policies of the administrative unit which is responsible for the information resources. These policies will differ across schools and departments.
The following are possible actions that may be taken, particularly for an emergency. An emergency will exist if the systems or network operator or the manager believes that the system is being misused and that this misuse poses an immediate and serious risk of altering, damaging, or destroying information of other users or of preventing authorized use of the system.
1. The manager may take action to halt the current misuse, including stopping active programs. In cases of suspected unauthorized use of an account, of unauthorized access, or where the manager cannot reasonably identify the potential misuser or group of misusers, the manager may also examine the account and take other action as appropriate.
2. The department head responsible for the facilities shall have the responsibility to determine what other steps may be taken in accordance with individual School policies. Other action may include examining all files (including mail), possible denial of future use, and imposing conditions on reinstatement of use of computers. In addition, severe incidents of computer misuse should be reported to the user's supervisory authority (as specified in section B.2.) and may lead to academic or administrative discipline.
B. Reporting
If a systems or network operator believes that a computer system or network is being misused, in addition to halting the misuse, the systems or network operator should have some prescribed reporting actions to take depending upon the departmental or School policies, such as :
1. The systems or network manager should contact the manager of the computer center or data network and if appropriate, the High Speed Data Network Operations Center (NOC).
2. If the systems or network operator or manager has reason to suspect or has determined that an individual or one of a group of users is misusing resources, the operator or manager may contact the appropriate academic or supervisory authority of the suspected misuser(s) depending upon the status of the individual(s):
a) an undergraduate: contact Senior Tutor for upperclassman or Freshman Dean's Office for freshman b) for other students: contact Dean of Students for the specific school or other appropriate authority c) a faculty member: contact Chair of Department, or Dean of Faculty d) staff member: contact his or her supervisor e) other individual: contact an appropriate academic or administrative authority
3. If the systems or network operator or manager cannot identify a potential misuser or group of misusers, the operator or manager should report the misuse to his/her Head of Department and, if appropriate the NOC.
4. The systems or network operator, the manager and the academic or supervisory authority (if involved) all shall keep records of the contacts made and actions taken.
C. Other Actions
1. It is recommended that a statement of student responsibilities for use of computer resources be included in each school's student handbook.
2. It is recommended that a statement of staff responsibilities for information be included in the Personnel Manual and/or the Union Agreement (see Sample Statement Section XII). Schools and departments should also consider other ways to distribute this statement to it's staff.
3. It is recommended that a warning statement against misuse of Harvard systems be displayed on terminals and PCs (see Sample Statement Section XII).
XI. OVERVIEW OF LEGAL ISSUES
The use of computers at Harvard raises a number of legal issues, the implications of which are still unclear. Because the wide use of computing centers and networks is relatively new, the law has not "caught up" with the technology. One can speculate about possible legal claims arising from a university's use of computers, but there is little precedent to rely on.
It is also difficult to generalize about legal theories, since the precise facts of each case are of paramount importance. It is impossible to predict the course of computer law, since that law itself will be affected by the facts of the cases that are decided and the statutes that are enacted.
A. Criminal StatuteS
A number of statutes have been enacted by Congress that deal with computers. The Electronics Communications Privacy Act (18 USC sec. 2510) prohibits unauthorized access to computer systems affecting interstate commerce; the exceptions to this rule permit access by employees of a communications service in certain circumstances, or where consent has been given. Under the Computer Fraud and Abuse Act of 1986 (18 USC sec. 1030), it is a crime to access computers used by the federal government or by financial institutions without authorization. Under Massachusetts law, stealing electronically processed or stored data may constitute the crime of larceny.
B. Copyright
Another important statute to consider is the federal copyright law. The creator of software most likely will have a copyright in it, and unauthorized use or copying may violate federal law. Data stored on a computer may also be copyrighted. While a copyright notice [such as "President and Fellows of Harvard College, 1990"] is not legally required to create a copyright, notices should be used where copyright protection may be asserted. Creators of such works should consult with the Harvard Office for Patents, Copyrights, and Licensing. Similarly, the absence of a copyright notice does not necessarily mean that the work is in the public domain. The "fair use" doctrine permits some use of copyrighted works, but that doctrine is quite limited. Under a 1990 amendment, the Copyright Act specifically prohibits any person in possession of a copy of a computer program (including any tape, disk, or other medium embodying the program) from renting or leasing the program for purposes of direct or indirect commercial advantage, unless authorized by the copyright owner.
C. Contractual Obligations
Various aspects of computer use may be implicated in contracts that Harvard signs, both when it provides property or services and when it receives property or services. For example, to fulfill its contractual obligations, it may need access to data, and in negotiating a contract may need to provide for alternatives if that data cannot be obtained. Contracts may also require security measures, such as limiting access to certain software or data; such security may be difficult to assure in an open academic environment, and care should be taken before assurances are given.
D. Misuse of Computing Resources
Misuse of computers may be cause for discipline against a student or staff member. Individuals should be informed in advance about the appropriate use of data and networks.
E. Negligence An individual using a computer may be liable under the tort theory of negligence if he or she fails in a duty to use reasonable care to avoid foreseeable injury to others. The degree of liability may depend on the nature of the wrongdoing and on whether an act was accidental, intentional, or reckless. The extent to which this theory will apply in the computer context is impossible to predict.
F. Products Liability Where goods are sold or services provided to the public, an express or implied warranty may exist that the goods or services are fit for the purposes intended. Sellers will often include disclaimers, stating that no warranties exist, and Harvard may wish to consider such disclaimers. Even so, courts have held in some circumstances that warranties are implied by law and that disclaimers are not effective.
G. Privacy
1. Some invasions of privacy may be actionable as torts or may raise claims under the Massachusetts civil rights act or its privacy statute (which protects a person against "unreasonable, substantial or serious interference with his privacy.") In general, one can sue for a breach of privacy only if there is a reasonable expectation of privacy. Managers and supervisors can, in some circumstances, create and limit the expectation of privacy by letting people know who has access to which data and for what purposes. Managers and supervisors should inform their staff members of such restrictions and expectations.
2. Some information is accorded special protection. For example, student records are protected by the Buckley Amendment (20 USC sec. 1232g) and generally cannot be released or accessed unless the student has consented or a subpoena has been issued ( or unless another exception in the Act applies). Similarly, under state law, medical records usually cannot be released without the patient's consent or pursuant to a subpoena.
H. Vicarious Liability
In some instances, responsibility for a tort may be shifted from one individual to another; the latter is then "vicariously liable" for the actions of the former. This may arise in the employment context, where the employer may be vicariously liable for the employee's actions so long as those actions were taken in good faith and were within the scope of the individual's employment. In such a case, both Harvard and an employee might be named in a lawsuit. If the employee's actions were taken in good faith and within the scope of employment, Harvard would usually cover the costs of defending the claim (with counsel of its choice), would control all aspects of any litigation, and would pay any amounts that might finally be due.
XII. SAMPLE STATEMENTS
Following are some sample statements for inclusion in the personnel manual, sample warnings for PC or terminal display, sample access responsibility statements, and student handbook statement.
A. Statement for the Personnel Manual
Misuse of computing resources may subject a staff member to discipline up to and including termination.
Harvard's computing systems and networks are used for various purposes from the academic - instructional and research - to the administrative. Because computing systems and networks are shared resources, their misuse can affect other users. In addition, confidential information may be stored on the computing systems and networks to which access may be restricted; circumventing such restrictions also constitutes a misuse of computing resources. Misuse of confidential information, whether on computers, paper files, or elsewhere, also violates University policy.
B. Banner Statements for a PC or Terminal
The following paragraphs address different security concerns: (1) confidential information (2) restricted access (3) software licensed to Harvard and (4) application copyrighted by Harvard. You may compose a warning by selecting one or more of these paragraphs as appropriate.
1. The data and information in this system are confidential and to be used only for authorized purposes.
2. Access to this system is limited to individuals who have been granted specific permission by an authorized person.
3. Software used on this system is licensed to Harvard and cannot be distributed or copied without the prior written consent of the appropriate authority.
4. This application is copyrighted by the president and fellows of Harvard College and cannot be distributed or copied without the prior written consent of an authorized representative of Harvard.
5. By pressing "Y" at the prompt, you indicate that you have read and understood this warning.
C. Access Responsibility Statements
1. Confidentiality statement to be signed by individual given access rights:
I understand that during the course of my engagement with the (xxxxx ) department at Harvard University I may have access to confidential or other sensitive data. I agree that, (a) I will not use any documents, data, or other information obtained in the course of my engagement except in performing my specific tasks for the department (b) I will limit my access to the data base to only those areas required by my specific tasks (c) I will not disclose any documents, data, or other information obtained by me in the course of my engagement, except with the prior written permission of ____________ and (d) any documents I receive from Harvard remain the property of Harvard, and I will return them to Harvard at the end of my engagement. I understand that restrictions contained in this statement will continue indefinitely after my engagement with Harvard has terminated, unless specifically waived in writing by _________.
2. Statement of Transferred Responsibility
The payroll and personnel information in the Human Resources System is the property of Harvard University. The representatives of Human Resource Systems and the Office of Financial Systems serve as Custodians of the data. The two areas work to provide access to the data while insuring it is accurate, complete, and used in a manner acceptable both to the University and to each individual faculty and staff member included in the data base. As data from the central data base is transferred to you, the custodial responsibility is also transferred. You are requested to take adequate precautions in storing and protecting this data.
D. Statement for Students from the College Student Handbook on Misuse of Computer Systems
"Students who are provided access to University computer facilities assume responsibility for their appropriate use. Computer programs should be regarded as literary creations and the same standards apply to misrepresentation of copied work (see Academic Rules). More generally, responsible behavior is expected in the use of computer systems. Important but not exclusive concerns are in the following areas:
Privacy of information. Information stored on a computer system is the private property of the individual who created it. Examination of that information without authorization from the owner is a violation of the owner's rights to control his or her own property. Timeshared computer systems provide mechanisms for the protection of private information from examination by others; attempts to circumvent these mechanisms in order to gain unauthorized access to private information will be treated as actual violations of privacy.
Misuse of accounts. Computer accounts are provided to students for their personal use for specified academic purposes. Accounts have tangible value. Consequently, attempts to circumvent the accounting system, to use without authorization the accounts of others, or to use accounts for other than their intended purposes are all forms of attempted theft. A student who has been given an account may not disclose its password or otherwise make the account available to others.
Disruptive and annoying behavior. Students may not attempt to interfere with the normal functioning of a timeshared computer system, and should not disrupt or distract others working with the computer. Use of an electronic mail system to send fraudulent, annoying, or obscene messages is prohibited."
XIII. APPENDIX A - PERSONAL COMPUTER SECURITY PRACTICES
The following are some additional resources or citations which can be used as references on personal computing.
1. Excerpt from "USING SOFTWARE - A GUIDE TO THE ETHICAL AND LEGAL USE OF SOFTWARE FOR MEMBERS OF THE ACADEMIC COMMUNITY" a leaflet produced and distributed by EDUCOM and ADAPSO
2. "Keeping Your Computer Secure at Harvard" a paper produced and distributed by the Harvard University Technology Product Center
3. "Microcomputer Control Department Assessment Questionnaire" from Harvard Internal Audit
4. "Good Security Practices for Personal Computers" is a booklet produced and distributed by IBM. These may be obtained from IBM
A. Excerpt from "USING SOFTWARE - A GUIDE TO THE ETHICAL AND LEGAL USE OF SOFTWARE FOR MEMBERS OF THE ACADEMIC COMMUNITY" a leaflet produced and distributed by EDUCOM and ADAPSO
B. "Keeping Your Computer Secure at Harvard" a paper produced and distributed by the Harvard University Technology Product Center
C. "Microcomputer Control Department Assessment Questionnaire" from Harvard Internal Audit XIV. APPENDIX B SAMPLE DOCUMENTS
This section contains the following documents:
1. Excerpts from (Responsibilities and Ownership : Personal Computing; Security: Personal Computing) "UDO PERSONAL COMPUTING POLICIES AND PROCEDURES" a booklet prepared and distributed by the Harvard University Development Office
2. A checklist/questionnaire of good practices in system development, maintenance, operations and security developed by the Harvard University Development Office
3. "DATABASE DEVELOPMENT GUIDELINES FOR PC APPLICATIONS" a paper prepared by the Kennedy School of Government Computer Services
A. Excerpts from (Responsibilities and Ownership : Personal Computing; Security: Personal Computing) "UDO PERSONAL COMPUTING POLICIES AND PROCEDURES" a booklet prepared and distributed by the Harvard University Development Office
B. A checklist/questionnaire of good practices in system development, maintenance, operations and security developed by the Harvard University Development Office
C. "DATABASE DEVELOPMENT GUIDELINES FOR PC APPLICATIONS" a paper prepared by the Kennedy School of Government Computer Services XV. APPENDIX C - OTHER SECURITY RESOURCES
This Appendix will contain the following types of information.
A. List of Custodians of Harvard Systems
B. Other resource texts and documents available at 7 Sumner Road, Cambridge
C. Security Checklist prepared by Coopers and Lybrand for the internal Audit Department.
A. The following is a list of University Systems with a designated Custodian. The Custodian of a computerized system is responsible for specifying the use and protection of the data, taking into account the value of the data and the applicable legal requirements (see section on Data Management in the Information Security Handbook). This list is an attempt to stimulate thinking on the responsibility chain for systems.
1. Budget System - Randell Grenier (495 - 3511) 2. Expense Reporting System - Brian Shultz (495 - 9840 3. Facilities Maintenance - Judith Holt (496 - 9151) 4. General Ledger - Victoria Johnson (495 - 9132) 5. Hollis - Dale Flecker (495 - 3724) 6. Human Resources - Lydia Cummings (495 - 2136) 7. Institutional Research Database - Mary Averill (495 - 3511) 8. Real Estate - Maura Scanlon (495 - 8644) 9. Student Information Systems - School Registrars 10. Student Receivables - Kellie Lucy (495 - 4986) 11. Telephone Information - Peter Heffernan (495 - 3226) 12. University Development System - Jim Conway (495 - 0301)
B. Other resource texts and documents available at 7 Sumner Road, Cambridge
1. Reports a) "Computer Data Security"- A Bureau of National Affairs Special Report.
b) Coopers & Lybrand, "Information Security in Higher Education"- CAUSE Professional Paper.
c) "Data and Computer Security" - Policy#7.1.1; Carnegie Mellon University, 1989.
d) Renate Rhode and Jim Haskett, Disaster Recovery Planning for Academic Computing Centers, Communications of the ACM, June 1990.
e) Steve R. White, David M. Chess, Chengi Jimmy Kuo, Coping with Computer Viruses and Related Problems IBM Research Report Number RC 14405, January 30, 1989.
2. Books and proceedings
a) Daniel J. Knauf, "The Family Jewels: Corporate Policy on the Protection of Information Resources" - Program on Information Resources Policy, Harvard University.
b) Proceedings of the March 15, 1989 Second Annual Computer VIRUS Clinic, Data Processing Management Association.
C. Security Checklist prepared by Coopers and Lybrand for the internal Audit Department.