What's New
IT Security on Portable Hardware
By now most of us are aware of the importance of keeping confidential information secure. We use complex passwords and lockout periods to help prevent unauthorized access. But what about the hardware itself? What happens if you lose the computer you use to access confidential information?
Portable computers are meant to be, well, portable. Same for flash drives. Technology has made it very easy for us to work from different locations instead of always needing to be at our desks. In addition to existing IT security controls, recently enacted Massachusetts regulations now require that confidential information on your computer or flash drive has encryption enabled to protect this information.
Here are some examples of hardware lost at schools in 2008: 1
- A laptop containing Social Security numbers (SSN) and credit card numbers of 84,000 University of North Dakota alumni was stolen from a vehicle. While the information was encrypted, the university's alumni association is offering one year of free credit monitoring.
- A flash drive containing student financial information went missing at Tennessee State University. Although the flash drive was later recovered, the school had to report the potential breach of over 9000 students' SSNs, and the internal audit department investigated the incident.
- A contractor at Arapahoe Community College reported a flash drive containing information for over 15,000 students (including SSNs and credit card numbers) lost or stolen.
- Stanford University informed over 70,000 people of a stolen laptop that may contain SSNs, salary and contact information.
- The New Hampshire Technical Institute reported a flash drive that may contain information for 128 former nursing program students missing. The school offered those students one year of free credit monitoring.
- University Health Care (University of Utah) reported a laptop containing patient information stolen from a locked office. Information on the laptop may include SSNs, health insurance account information and patient records. University Health Care offered almost 5000 patients one year of free credit monitoring.
- A doctor at the University of Minnesota’s Reproductive Medicine Center lost a flash drive containing names and fertility results of 3,100 patients.
- Tennessee Tech University notified students that a flash drive containing the names and SSNs of 990 students who resided in certain dorms was misplaced.
- A hard drive containing information (again, names and SSNs) on more than 800 students and graduates at the University of Akron’s College of Education was lost. The university offered free credit monitoring to those affected.
In most of these instances, the information contained on the missing hardware was not encrypted, even if required by institutional policy.
What does this mean for Harvard employees? Harvard University classifies personal identifiable information as "High-risk Confidential Information" (HRCI). This information includes, but is not limited to, Social Security numbers (SSNs), driver's license numbers, birth certificates and passport information. HRCI is not allowed on Harvard computers - laptops or desktops. Other confidential information must be properly protected. Start by reading about the University's policies on HRCI and confidential information on Harvard computing devices. Harvard is required by the new state law to notify affected Massachusetts residents and officials of any potential HRCI breaches. If something goes missing, be sure you report it immediately.
1 Dodge, Adam. "Educational Security Incidents." http://www.adamdodge.com/esi/
Protecting Your Identity
Our new brochure provides steps to help protect you from identity theft, one of the fastest-growing types of crime. Identity theft is the fraudulent use of an individual's unique identifying information and/or personal data. This information includes, but is not limited to, Social Security numbers (SSNs), driver's license numbers, birth certificate and passport information. Victims with high credit ratings are especially lucrative targets for identity thieves since they could take out mortgages, unsecured lines of credit or other large credit instruments.
RMAS Fiscal Year 2009 Focus 
Through our annual risk assessment process, we identify business objectives that create risk for the University. The focus of our FY09 audit plan is aligned under these risks.