Docstoc

HRDSP_level_4_worksheet

Document Sample
HRDSP_level_4_worksheet Powered By Docstoc
					HRDSP Level 4
Requirement                                          met   How Met   Notes
                                                     (Y/N)


1. Physical security requirements:

1.1. Level 4 servers must be located in only in                      l5 1.2
physically secure facilities under University
control. Such a facility can be a general
purpose facility.

2. Network security requirements:

2.1. Level 4 servers must not be directly
accessible from the Internet or from open parts
of the Harvard networks unless the confidential
information is encrypted. (Note that use of a
VPN concentrator is not considered "direct
access.")
2.2. The IRB and IT must be provided with                            l5 3.1
written justification if a Level 4 system is to be
connected to a network.
2.3. Level 4 systems connected to any network                        l5 6.1
must run host-based firewalls configured to
block all connections to the system other than
the specific connections needed to perform the
approved research.
2.4. Level 4 systems connected to any network
must undergo at least annual vulnerability
testing and problem remediation.

2.5. Level 4 systems must be only connected
to a special network segment dedicated to
similar systems.
2.6. No user computers are permitted on the
special network segment.
2.7. Level 4 systems connected to a network
must use private address space.
2.8. The network segment containing the
systems must be protected by a firewall that is
configured to block all inbound traffic to the
system not specifically required to support the
application.
2.9. The network segment containing the
systems must be protected by a firewall that is
configured to block all outbound traffic from
the system not specifically required to support
the application
2.10. The firewall protecting the network
segment with the systems must block all
administrative access except from the specific
computers used by the system administrators.

2.11. Documented practices must be in place       l5 6.1
and followed on maintaining the configurations
of the host-based and network-based firewalls.

2.12. The confidential information must be
encrypted when it traverses any network
(outside of a switch in a secure information
center).
2.13. The confidential information must never
be sent via email except in encrypted files.

2.14. All users needing to transfer the
confidential information must make use of a
secure file transfer method.

3. System security requirements:
3.1. Administrative functions on the Level 4
servers or applications that access the
confidential information must be logged. The
logs should include the identity of the user, the
time, and the command executed.
3.2. Generic accounts on Level 4 systems must       l5 7.1
be disabled.
3.3. Default passwords on Level 4 systems           l5 7.2
must be changed before the systems are put
into use.
3.4. A mechanism must be in use on Level 4          l5 7.3
servers to inhibit attackers guessing passwords
(e.g., lockout after multiple bad password
guesses).
3.5. A mechanism must be in use on Level 4          l5 7.4
servers or clients to block access to idle
sessions (e.g., an application timeout or a
locking screen saver).

4. Operational requirements:

4.1. There must be a written list of the            l5 8.1
individuals or the categories of people (e.g.,
research assistant, lab administrator)that are
permitted to have accounts on the Level 4
systems ("The access policy"); the names or
categories must be disclosed to the IRB.
4.2. All media (including magnetic media such        l5 5.1
as portable disk or thumb drives and non-
magnetic media such as optical disks or paper)
containing the confidential information must be
encrypted or secured in a locked container (
e.g., a file cabinet or safe) when not actually in
use. Access to the locked container should be
limited to the specific categories of people
disclosed to the IRB.

4.3. Where access to systems storing the
confidential information from outside of the
research premises is permitted, there must be
a written policy identifying individuals or
categories of persons who have permission,
and under what conditions ("The remote
access policy"); the identities or categories
must be disclosed to the IRB..
4.4. Users must only have access to the              l5 8.2
confidential information through their
individually assigned (non-shared) user
accounts.
4.5. Only the applications that are actually         l5 8.3
required to support the services used in the
research can be running on the servers.
4.6. Users' access to Level 4 data or servers        l5 8.8
must be removed if they no longer have a
reason under the access policy to access the
information (e.g., they change jobs or leave
the university).
4.7. Level 4 servers must enforce Harvard            l5 8.4
standard password complexity rules. (See
http://www.security.harvard.edu/resources/be
st-practices/passwords.)
4.8. Level 4 servers and the applications must      l5 8.6
be designed so that passwords cannot be
retrieved by anyone (including system
administrators). (This should include a
mechanism to ensure that any assigned
passwords are changed on initial use.)
4.9. Interactive access to Level 4 servers must     l5 8.7
be logged. The logs should include the identity
of the user, the time, and the function (login or
logout).
4.10. The logs should be reviewed periodically
to determine if the systems are under attack
and that the users are following the
documented access practices (e.g., not logging
in as root).
4.11. There must be a documented practice,          l5 8.9
known by the users, to ensure that any
possible breach that might put the confidential
information at risk is promptly reported to the
IRB and the OGC, as well as the University
Technology Security Officer and the School and
University CIOs.
4.12. The confidential information is not           l5 8.10
permitted to be stored on any user computer
or portable computing device (e.g. laptop,
PDA, or smart phone). (See note below about
collecting Level 4 information)

4.13. Backup tapes or other removable media         l5 8.11
containing the confidential information must be
encrypted.
4.14. All electronic records containing the         l5 8.12
confidential information must be properly
disposed of by overwriting the information.
4.15. Old or broken disk storage drives that       l5 8.13
were used to store the confidential information
must be properly disposed of by physical
destruction or overwriting the information.

4.16. The IRB must be informed of any plans        l5 8.14
to have a vendor store or process the
confidential information.
4.17. Contracts must be executed with all          l5 8.15
external vendors who process or store the
confidential information at Harvard's direction.

4.18. The contracts must contain specific          l5 8.16
contract language (approved by the OGC) that
requires the vendor to protect the information
and to inform Harvard promptly of any possible
breach that may put the confidential
information at risk of exposure.
4.19. The contracts must contain specific          l5 8.17
language (approved by the OGC) to ensure
that the confidential information is not stored
on a user computer at a vendor.
4.20. The contracts must contain specific
contract language (approved by the OGC) to
ensure that the protection of the confidential
information meets the requirements of
Massachusetts law and in this policy.

4.21. The contract riders on the security web      l5 8.19
site meet the above requirements.
(http://www.security.harvard.edu/resources/st
atements/contract-riders)
4.22. All software (operating system and
application) patches must be up to date.
4.23. Only the applications that are actually
required to support the required services can
be running on a server.
4.24. Level 4 systems must be running an
appropriate virus checker and the virus
checker information files must be updated at
least weekly.
4.25. Operators of non-IT-managed Level 4
servers must annually certify to their school
CIO that they are compliant with the Harvard
Enterprise Information Security Policy.

4.26. Harvard employees working with any            l5 8.20
kind of confidential information should undergo
training in general information security at least
annually.
4.27. Implementation of operational                 l5 8.21
requirements is subject to review and audit by
the UTSO, RMAS, and/or the IRB.

Other security considerations

1.1. The facility should have a minimum
number of normally active entry/exit points,
each of which should be controlled, between
the secure area and non-secure areas.
Additional exits are OK if alarmed.
1.2. The physical location of the secure area
should not be visible from outside the building
if the room is located on the ground floor, that
is, no windows.
1.3. Individual physical access to the secure
area must be controlled and logged. (e.g. card
swipe required for each person entering)
Visitors to the secure area must be escorted at
all times and their actions must be monitored.

1.4. The log of physical access must be
protected and restricted from unauthorized
access.

Collecting Level 4 information

Collection of Level 4 information while in the
field must adhere to strict security protocols.
The protocol(s) to be used must be provided to
the IRB. Some examples include:

1.1. Computer-based collection of Level 4
information in the field may be done using a
VPN connection to a Level 4 server.
1.2. Computer based collection of Level 4
information in the field may be done using a
computer with an encrypted disk. In this case
the information should be securely transferred
to a secure server as soon as practical. The
secure transfer can be done through a VPN to a
Level 4 server, by using an encrypted thumb
drive, or by encrypting the information files
and transferring the encrypted files, for
example via email, or a secure file transfer
application to a secure location.
1.3. The Level 4 information must be promptly
and securely removed from the computer used
to collect the Level 4 information once the
transfer has been completed and verified.

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:8
posted:11/20/2012
language:Latin
pages:9