HMS IT Professional Code of Conduct to Protect Electronic Information

In the course of supporting the business of the Harvard Medical School, IT staff performing regular duties may have access to data in applications, emails and file systems or on desktops, servers and networks and other systems that must be protected by the School. In performing their duties, HMS IT staff will comply with applicable HMS and Harvard University policies including the Harvard Information Security Policy and the Harvard Policy on Access to Electronic Information.

As a Harvard IT organization,
  • HMS IT staff will receive the Code of Conduct and are expected to review and adhere to the Code of Conduct
  • HMS IT staff will be required to annually review and affirm the Code of Conduct
  • HMS IT leadership will provide guidance on this Code of Conduct as challenges are observed or encountered
  • HMS IT leadership will review and revise the Code of Conduct as needed in response to any incidents or as technology changes.
As IT professionals,
  • We have access to electronic information*, some of which may be personal and confidential
  • We require access to electronic information in order to develop, test, implement and support the School’s applications, systems and networks and to ensure they run properly; to protect against threats such as attacks, malware, and viruses; to protect the integrity and security of information; to help support business continuity; and to help deal with threats to campus safety and the safety of individuals.
  • It is part of our job to help protect all electronic information from unauthorized access
  • We only obtain the information we need to perform our job or which we have been directed to obtain by proper University or legal authorities. See the Harvard Access to Electronic Information Policy for more information.
  • We only use the information gathered for the purpose for which it was obtained, properly protect the information while in our possession, and dispose of it properly once it is no longer needed for business purposes
  • We will not peruse or examine individual’s electronic information for any purpose other than to address a specific issue
  • We understand that, in the event that there is a potential violation of this code of conduct, an investigation will be conducted in which all available information will be collected and evaluated. Such investigations shall follow Harvard University policies and procedures and shall involve the appropriate parties, such as human resources, union representatives, the Harvard Office of General Counsel, and members of IT leadership. Should the investigation find that a violation occurred, that finding will be reflected in the individual or individuals’ performance development, and may also result in disciplinary action, up to and including termination.
  • We will sign a yearly acknowledgment that we have received, read, and understood this Code of Conduct

* For definition of “electronic information” see:
http://hwpi.harvard.edu/files/provost/files/policy_on_access_to_electronic_information.pdf

Below are some examples of the Code of Conduct in practice. These are meant to be representative and helpful, but not comprehensive. If a need arises for exceptions to the principles and examples in this Code of Conduct document, approval must be obtained from the Harvard Medical School CIO or Harvard Medical School CISO.

Field Technicians

  • Technicians must never request or ask a user for their password or PIN and must not observe a user entering their password or PIN
  • Technicians must not open emails or files while troubleshooting an issue unless the user gives specific permission and must examine only the content of emails or files as required to troubleshoot a particular problem
  • Remote access to a desktop for support purposes can only occur with the approval of the end-user via a specific desktop prompt

Quality Engineers, Developers, Project Managers and Business Analysts

  • When developing, testing analyzing, maintaining or troubleshooting issues in HMS applications, records should be only be interrogated if they are related to the problem being investigated.
  • When showing examples of pages, files, business flow or report output in documentation, appropriate measures should be taken to disguise the information to protect the identity of the individual(s) associated with the data.
  • For purpose of presentation, development, testing, analyzing, maintaining, or troubleshooting, appropriate measures should be taken to disguise the information to protect the identity of the individual(s) associated with the data.

Network Engineers

  • Data traversing the network must not be monitored except for maintenance, specific diagnostics and system protection purposes (e.g. virus protection scanning).
  • Access to log information must only be used for business purposes and as required to support the integrity of systems.

Help Desk Staff

  • Never ask users for passwords or PINs
  • Only enable email forwarding to another designation when requested by the mailbox owner

System Administrators & DBAs

  • Data contained in log files and databases should not be disclosed beyond the need of the IT group to develop, maintain, troubleshoot or perform diagnostics unless under direction from proper HMS or legal authorities
  • Information about a specific user’s access to networks, systems, databases, or any other computer-based resources must not be disclosed to anyone beyond the owner unless under direction from the proper HMS or legal authorities or for the purposes of development, testing, maintenance, protection and support of an IT system
  • The casual viewing of any data contained in logs or databases that fall outside of an employee’s job responsibilities is strictly prohibited

Production Control and Computer Operations

  • All physical access to HMS Data Centers must follow established access management protocols; all requests for access from unauthorized individuals must be referred to a supervisor or manager
  • All requests for access to systems must follow established access management protocols; all requests for systems access that fall outside of the specific ones covered by the access management protocol must be referred to a supervisor or manager
  • All requests for privileged access to production systems must follow the established procedures for granting such access, including the timely and accurate logging of the request and the timely reverting of privileges upon completion of the work that prompted the request for privileged access

Security Engineers

Harvard’s information security professionals adhere to a stringent code of ethics through their certification by the International System Security Certification board, which requires that they:

  • Protect society, the commonwealth, and the infrastructure
  • Act honorably, honestly, justly, responsibly, and legally
  • Provide diligent and competent service to principals

When launching an investigation in response to an alert about possible malicious activity (from an automated tool, a user, or a third party), security engineers must act in a responsible and ethical manner, specifically:

  • Investigate only within the scope that has been identified by the alert and for the identified reason
  • Track the malicious activity to an originating machine and contact the owner and their IT support, sharing the information and assisting in a resolution process
  • Should an individual decline to participate in the resolution, security engineers must:
  • Launch an escalation process to obtain management approval prior to further action
  • Follow the defined escalation path which includes notice to local management, CISO, HR, and OGC

When conducting forensics on an acquired computer, security engineers must:

  • Limit their investigative activities narrowly, working on only relevant information
  • Only look at individual personal information if it is required for the investigation.
  • Keep physical and digital investigation materials (for example copy of a hard drive) securely locked
  • Maintain a chain of custody for evidence, requiring responsibility and sign-off for each step of the process

HMS IT professionals may also be required by some departments, labs, or other projects to take additional required training in order to comply with Federal, or State regulations, contracts or other such agreements where the protection of data is governed by requirements in addition to HMS and Harvard policies. In these cases, HMS IT professionals are expected to comply with these requirements.