RMAS
search

Search tips

FAD Home
RMAS Home
About Us
   Staff
   Organizational Chart
What We Can Do For You
Service groups
   Financial/Operational
   Information Systems
   Compliance
   Insurance
Ask a Question
FAQs
Best Practices
Helpline
Headline News
Tools You Can Use
   Brochures and Posters
   Training
   Presentations
   Operations Self-Assessment
Site Map
Contact Us
| Financial/Operational | Information Systems | Compliance | Insurance | Contact Us |

Previous Headline News

Printer Friendly Version

Headline News

Are you protecting your identity?
Shared any music lately?
Are your systems protected from viruses?

 

Are you protecting your identity?
12/03

According to a Federal Trade Commission (FTC) report recently released, identity theft has claimed more than 27 million victims in the past five years and costs individuals and businesses over $50 billion from fraudulent use of the stolen data. The report is based on an independent survey commissioned by the FTC. The survey showed that identify theft is increasing and the vast majority of victims do not report the crime.

Identity theft is often a crime of opportunity. Follow these tips to reduce your chances of becoming a victim.

What you can do

  • Take care with personal information. Never disclose your Social Security number, birth date, or mother's maiden name unless you initiated the transaction. On paper documents, don't include such data unless required to do so on an official application for employment, financing, or insurance. (Ask employers, schools, and financial institutions to offer alternatives.) Never put such information on personal Web pages or publicly posted resumes or directories.

  • Check financial statements promptly. Every month review your banking, brokerage, and credit-card statements for accuracy. Report problems immediately.

  • Watch your credit. Once a year order copies of your credit report from each of the three major credit-reporting agencies. They are:

    • Equifax, 800-685-1111, P.O. Box 105851, Atlanta, GA 30348

    • TransUnion, 800-888-4213, P.O. Box 1000, Chester, PA 19022

    • Experian, 888-397-3742, P.O. Box 2002, Allen, TX 75013

    Report errors promptly and in writing.

  • Travel light. Don't carry identification that contains sensitive data like your Social Security number unless absolutely necessary. If you have credit cards you never use, leave them at home. (Better yet, cancel the accounts.) Memorize your credit card and ATM card PIN numbers. Absolutely never carry that information around with you.

  • Shred and destroy. Before throwing out files containing Social Security numbers, account numbers, and birth dates, shred them with a crosscut shredder. Also shred credit card offers you receive in the mail. Destroy CDs or floppy disks containing sensitive data by shredding, cutting, or breaking them. Use hard-drive shredding software or remove and destroy your hard drive before discarding a computer. Just deleting files isn't enough.

  • Manage credit cards. When you pay your credit card bills, don't write your full account number on your checks, just the last four digits. This prevents everyone who has access to your check as it is processed from capturing your account number. When you get a new credit card in the mail, sign it immediately. And when you mail your credit card bill payments, put them into a U.S. Postal Service collection box. Don't leave them in your home mailbox for your letter carrier to pick up.

  • Deal only with reputable Web sites. Check privacy and security policies of Web sites before making purchases, trading stocks, or banking online. Don't transmit credit card numbers or account information to any Web site that does not offer a secure data transaction. Look for an icon of a lock in at the bottom of your browser, or for the URL of the page at which you input your data to begin with "https". A professional-looking Web site is no guarantee of security. Don't respond to unsolicited e-mail requests for personal information.

  • Log off. Quit your browser and log off after using public Internet-access computers in libraries, Internet cafes, and the like. Don't pay bills, bank, or conduct other financial transactions on public computers. If you have a high-speed Internet connection at home, install a personal firewall or unplug the computer's cable or phone line when you are not using it to discourage hackers.

  • Create strong passwords. Password protect all your bank and brokerage accounts. Create passwords at least eight characters long. Create passwords that use numbers, letters and special characters.

  • Just say no. Consider "opting out" of information-sharing at your financial institutions. (Check your company's financial privacy notice, which is mailed annually and usually posted on company Web sites, to find out how.) Also opt out of pre-approved credit offers by calling the Credit Reporting Industry Pre-Screening Opt-Out Number at 888-567-8688.

  • Lock it up. Safeguard your driver's license and other government ID at all times. Lock desks, cabinets, and safes containing such information in your office and home.

  • Beware of strange ATMs. Avoid using private or strange-looking automated teller machines, because they may be rigged to skim data off your card's magnetic strip. Six- or seven-character PINs (personal identification numbers) are harder to crack than shorter ones, but you may not be able to use them at machines abroad.

Shared any music lately?
9/03

Are you aware of the liability you may create for yourself by using file sharing programs over Harvard University's network?

Down loading and trading copyrighted music, movies, games, and software has become commonplace over the Internet, but it's not legal. The Digital Millennium Copyright Act (DMCA) of 1998 states that a person may not reproduce, distribute, publicly display, or publicly perform any copyright materials over the internet without the permission of the copyright holder. Violation may be punishable with civil and criminal penalties including prison time and fines.

This law also addresses copyright infringement and the impact on Internet Service Providers such as Harvard. Harvard is committed to a University-wide and consistent approach to DMCA compliance. Although the University has an obligation as an Internet Service Provider, there is little it can do to protect individual copyright infringers from personal liability. For more detail regarding the DMCA and Harvard's policy: http://www.dmca.harvard.edu/dmca_overview.php

 

Are your systems protected from viruses?
3/03

This Best Practice is intended to describe processes that IT support organizations should follow. The section on user awareness and education would be a general interest to anyone who uses computers in their work.

Background
Computer viruses can destroy software and data and bring down entire networks.

During 2002, viruses grew at a rate of around 600-700 new ones each month and growth is expected to continue at this rate for 2003. Nine out of last year's top 10 viruses were spread by email on Microsoft Windows platforms.

Policies and procedures should be in place to protect against contamination from these viruses.

These policies and procedures should contain sufficient information to prevent destruction of data and systems by viruses. They should include user awareness and education, virus prevention and virus containment program.

User Awareness and Education
Users are a key component in an antivirus defense program. Increasing users’ knowledge on how to prevent or detect viruses lowers the risk of contamination.

The following are guidelines on user awareness:

  • Stress the potential damage from viruses, explaining that viruses can trigger harmful events. When a virus is stopped damage is minimized.

  • Encourage responsible use of software. Stress the importance of keeping original “clean” program disks in a secure location.

  • Provide clear instructions on back up procedures including accountability and storage location.

  • Stress avoidance of situations with possible outside contact with viruses such as sharing diskettes and downloading on-line files.

  • Stress that any e-mail that arrives with an attachment only, or with an attachment from an unknown source, should not be opened and should be deleted immediately and appropriate personnel notified. Many virus writers are interested in creating the next super Windows worm, spread by email or instant messaging, as these mass-mailing viruses carry the greatest impact.

  • Explain that there will be false alarms, but that these are preferable to the danger of real virus damage.

All users should be informed about virus symptoms including:

  • Any unusual message, music, or graphic displays.

  • Significant extension of the time it takes to access a diskette.

  • Significant and unusual reductions in free space or available RAM.

  • Strange behavior in Microsoft Word, Excel or other applications that support macros.

  • Change in the size of files and their contents. · Unexplained system interruptions.


Virus Prevention

  • Install antivirus software on all servers and desktops.

  • Update virus definitions at least monthly.

  • Where possible, configure software to update virus definitions on desktops without requiring user intervention.

  • Install antivirus software on email servers to block or remove email with file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files before forwarding to users.

  • Keep up-to-date on security patches that cover up holes exploited by viruses.

  • Turn off and remove all unneeded services. (i.e. ftp, telnet, and web server). These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.

  • If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.

  • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.

  • Subscribe Network Administrators to UIS’s NetManager Listserv.


Virus Containment
Incident handling procedures for users in the event of a contamination

  • Notify your IS support function

  • Avoid doing work on the infected machine until it can be cleaned up.

Incident handling procedures for IS organizations in the event of a contamination

  • Who to notify

  • Notify UIS-NSIRT

  • Users

  • What steps to perform to contain the virus

  • Shutdown of as much of the network as is necessary to reasonably assure that the virus is contained.

  • Scan and disinfect the system until a pre-infection baseline is reached and the system runs clean.



Previous Headline News


Traveling? Check out Harvard's Emergency Communication Web Site First!
Have you Assessed Your Operations & Projects?
Have you received a HIPAA Business Associate Agreement?
Take the HIPAA Challenge: Are You Ready for the New Privacy Rule?


Traveling? Check out Harvard's Emergency Communication Web Site First!
3/03

Harvard's Office of News & Public Affairs maintains a emergency communications web site that provides the campus community with information on how it will communicate in the event of an emergency. In addition, this site links to travel advisories, and relevant Harvard resources on the web. http://www.emergency.harvard.edu/

Have You Assessed Your Operations & Projects?
3/03

Across the University, operations are reviewed by visiting committees with the intent of offering recommendations to management on issues found. As RMAS is also involved in reviewing University operations, we wanted to share our thoughts on financial and operational areas that could not only serve a Visiting Committee assessment, but others who may be assessing an operation or project, their department structure and/or selected business practices. The following lists financial and operational inquiries that could be incorporated into such a review:

Governance

  • Have the terms and conditions that originally established the operations been documented (e.g., endowment terms) and are they on file, either at the School and/or at the Office of the Recording Secretary?

  • Has the governing or decision-making structure been identified for the operation, e.g., named original leader, rules of leadership succession, participation by operating management?

  • Has the relationship of the operation to the School been clearly identified?

  • Have any "unique" terms and conditions of the relationship with the School been specified? (Example: "The School will raise funds for the on-going support of the operation.")

  • Has the non-profit corporate structure of the operation been documented with School and with the appropriate authorities?

  • Have required filings been submitted to authorities that validate the corporate structure of the Operation? Are these filings available for reference?

  • Is the governing body of the operation regularly addressing the means for on-going funding?

Organizational Structure

  • Has an organizational structure been specified in the founding documents and does that leadership structure still exist? (Example: individual leader, executive operating committee, steering committee?)

  • Is the organizational structure that currently exists designed to achieve the stated goals of the operation i.e. are there clearly defined roles and responsibilities?

  • Are policies or procedures in place for making critical management decisions e.g. new project; funding issues; halting projects; reallocating resources etc.

  • Is the operation aligned with the Schools overarching goals and objectives?

Planning

  • Has the mission of the operation been clearly stated?

  • Is there a Strategic Plan or Business Plan in place that defines the financial objectives for the next three years?

  • Is the operation's Business Plan aligned with the Schools established goals and objectives?

  • Are the funding sources of the operation evaluated at least annually to ensure that income can sustain operating expenses at current levels?

  • Are fund-raising plans in place within the operation and/or the School to ensure that income streams are sufficiently sustained?

  • Have the "core/critical" initiatives of the operation been identified and differentiated from less critical programs or initiatives?

  • Are contingency plans in place to ensure that identified resources can be "realigned" if necessary?

Budgeting

  • Are budgets aligned with the Operation's strategic / business plans?

  • Is the budget of the operation aligned with the Schools budget and goals and objectives?

  • Are budgets established at the operating unit and project levels so that "financial ownership" has been established and financial accountability can be measured?

  • Are financial "actuals" regularly compared to budgets with follow-up on significant variations - by operating unit and project managers, by finance responsible for the operation or by the School finance?

  • Have unrestricted funds of the operation been allocated to operating units in budgets?

Management Reporting and Performance Measurement

  • Are financial reports generated by Finance personnel periodically (monthly or not less than quarterly) to ensure that those accountable for the budget get timely and accurate information with which to make management decisions?

  • Are operating unit and project managers within the operations held accountable for financial performance?

  • Are financial reports regularly reviewed by School Finance personnel to identify anomalies?

  • Are sponsored research financial and technical reports filed in compliance with the sponsor's stated terms and conditions?

  • Are federally sponsored research projects evaluated to ensure that they are compliant with applicable laws and federal regulations?

  • What non-financial measurement criteria are in place to determine the effectiveness of the operation in achieving its stated mission?

  • Are non-financial measurement criteria captured in timely and accurate reports and reviewed on a regular basis? (Example: Research project plans with defined deliverables by predetermined milestones.)

Business Processes

  • Are written policies and procedures available to guide the organization by defining standard methods for processing transactions?

  • Have administrative personnel been recently training in the practical implementation of policies and procedures and the use of the University's and the school's administrative systems?

  • Is there segregation of duties e.g. separation of transaction processing and approval responsibilities in order to mitigate against fraud, theft or misuse of funds?

  • Must financial transactions be approved by operating management and then independently reviewed by Finance?

  • Are there redundancies or inefficiencies resulting in multiple layers of reviews and approvals?

  • Are working relationships with other groups within and external to the University well defined? (Examples: Sponsors, vendors, interfaculty initiatives?)

  • Are financial/business processes streamlined so that each process adds value?

Financial Integrity

  • Do the operation's financial statements match the University's financial statements as recorded in the University's general ledger?

  • Is there evidence of financial oversight by the operation's Finance personnel? What depth and frequency?

  • Is there evidence of financial oversight by the School's Finance Department? What depth and frequency?

  • Is the operation subject to periodic and independent financial review?

Background Information

  • Obtain financial history reports that detail the operation's Income and Expense by category for three to five years?

  • Obtain a list of the operation's federal and non-federal sponsored research projects. The list should include income and expense and project term.

  • Obtain a listing of the operation's unrestricted funds and endowment funds. Inquire as to the uses and purposes of the funds.

  • Obtain a listing of the operation's personnel to determine scope of operations by program area.

  • Determine the operation's space requirements and cost, as well as plans for future growth.

 

Have You received a HIPAA Business Associate Agreement?
3/03

What is a business associate? Under HIPAA, a person or entity who performs a function on behalf of a health care provider, health plan or health care clearinghouse may be considered a business associate, if the function they perform involves the use or disclosure of protected health information. If a person or entity is a business associate it requires a contract, called a business associate agreement, between the parties.

Business associate agreements require that the person or entity performing the function on behalf of the health care organization provide assurance that they will protect the use and disclosure of that information. As a result, careful consideration must be made as to whether or not the person or entity is in fact a business associate.

If you receive a business associate agreement, contact either RMAS or OGC before signing it. We will advise you accordingly.

 

Take the HIPAA Challenge: Are You Ready For the New Privacy Rule?
3/03

If you are part of the health care community, which includes University Health Services, the Dental School Dental Clinic and the Benefit Services Group, take the HIPAA challenge and find out your HIPAA readiness.

  • Do you have a privacy notice?

  • Do you have a patient authorization form?

  • Have you drafted policies and procedures addressing patient privacy?

  • Do you know what “minimum necessary” means under HIPAA?

  • Have you and your entire workforce been trained on HIPAA?

  • Do you have a mechanism to track and account for health care information used for purposes other than treatment, payment and health care operations?

  • Have you inventoried your vendors and do you have business associate agreements in place?

  • Do you have a privacy officer?

  • Have you established a grievance process for HIPAA complaints?

  • Do you have a mechanism to investigate complaints of non-compliance?


If you are part of the research community, HIPAA may impact your research if it involves health information. Take the HIPAA challenge and test your HIPAA preparedness.

  • Do you obtain health information from health care providers, health plans or health care clearinghouses?

  • Do you know the five pathways for permitted use of private health information for research under HIPAA?

  • Do you know the difference between health care operations and research?

  • Do you know when an authorization may be used and what it must contain?

  • Do you know what de-identified data is under HIPAA?

  • Do you know what constitutes a limited data set?

  • Do you know when you will need a data use agreement and what it must contain?

  • Do you know what is a waiver of authorization and the criteria for obtaining one?

If you answered yes to all or most of the questions you are either HIPAA ready or fast on your way. If you answered no to many of the questions, you need to do your HIPAA homework.

Want more information? Contact Tina Sheldon, Risk Management & Audit Services at 496-7175 or Diane Lopez, Office of the General Counsel at 496-4172. In addition, click here and check out our HIPAA research brochure.


The above questions are a select representation of the regulation’s requirements and are not meant to be all-inclusive.

  

Copyright 2001 President and Fellows of Harvard College