At HMS, we care about your privacy. We understand that as IT professionals who manage, maintain, and implement technology solutions, we are entrusted as custodians of HMS data, as well as your individual data. We feel a great deal of honor and responsibility in this role and are mindful that we are accountable to the you, the community.
We believe that the best way that we can continue to earn the trust of the community is to be transparent with respect to how we treat data, and what protections are in place to safeguard privacy.
At HMS IT, neither our staff nor the programs that we install to safeguard security ever look specifically at your data during the normal course of operations. There are certain circumstances where we may be required to provide data, or to examine it, often as part of an investigation. These investigations fall under the following criteria:
Legal or Research Integrity Investigations
For legal or research integrity investigations, we may be required to provide data to the Harvard Office of the General Counsel, or to the Office of Academic and Research Integrity. In these cases, we do not look at data. Rather, we provide data extracts that are in scope for a specific investigation to the requesting authority. We do not provide data unless explicitly requested by, and authorized by, those offices. We also do not provide data to outside law enforcement agencies without confirming the validity of such requests through the Harvard Office of the General Counsel.
Human Resources Investigations
Those may include Title IX investigations, investigations into substance abuse, threats, attitude problems, or other sensitive matters related to personnel well-being, or workplace safety. For Human Resources investigations, like other forms of investigation, we provide data extracts to the Human Resources department to assist with any related investigation. In these cases, we may be asked specifically to perform some level or analysis to determine patterns of behavior. This analysis may require that we examine personal data to provide evidence in support of the investigation. Any analysis performed is done so by authorized IT individuals, as directed by HR, and kept within the strictest confidence, not only to maintain privacy but to also preserve chain of custody.
Information Security
In certain cases, we may be required to examine systems to determine the cause and extent of a computer security incident involving hacking, malicious software, or other information security issues. In these cases, we take care to limit our analysis to only the parts of the system that are in scope. This type of investigation is rare and will occur only in the event of a significant information security incident. In cases of malware, or other types of system infections, we normally limit our examination to the identified malicious software, which is removed without affecting any personal or HMS data on the system.
In each of the above cases, we will provide notification when it is applicable and allowed. We may be limited by law or local policy as to what, if any, information we can provide to individuals about the nature of the investigations. In each case, we strive to ensure that the proper authorizations are obtained and we will never grant access to, or provide data to, unauthorized individuals or groups..
Policy
Any and all access to electronic data is governed by the Harvard University Policy on Access to Electronic Information (AEI). The University policy requires that each school establish local procedures to review requests for access to electronic information (data and metadata). Under the policy, appointed individuals or committees are tasked with reviewing requests for access to staff data. The faculty deans and school deans are responsible for reviewing requests for access to faculty data, and student deans are responsible for reviewing requests for access to student data. At HMS, the AEI committee has been designated to review all requests, make decisions related to access to staff data, and make recommendations to the Dean of the Faculty or the Dean of Students for access to faculty or student data, respectively.
Software and Services
HMS IT installs software applications on systems to protect from malicious software, keep applications up to date, backup data, and protect from intrusions. HMS IT and Harvard University Information Technology (HUIT) also offer services, such as Dropbox (HMS) and SharePoint (HUIT) that store data.
Some of the applications that we install gather metadata about system specifics and application behaviors. Types of data, access, and processes are follows:
System-specific data
Information about installed programs, hardware, screen saver status, disk encryption status, and other data are gathered by the LANDesk portal and JAMF Self-Service applications (Casper). These applications do not report on, access, or analyze individual data, such as documents, spreadsheets, presentations, or other forms of data generated by individuals. These applications gather only information about machines and installed software.
Data generated by individuals
Data generated by individual members of the HMS community may be stored in HMS network collaborations, home drives, HMS provided Dropbox, Harvard provided Microsoft OneDrive, Microsoft SharePoint, HMS or Harvard provided email services, Orchestra, CrashPlan Pro backup services, or other HMS or Harvard provided services. HMS IT and HUIT have designated individuals who are responsible for the administration of these services. All administrators are bound by the Harvard Policy on Access to Electronic Information and a code of conduct (HUIT) and are prohibited from looking at data, or metadata owned by or about a specific individual without following the appropriate approval process. IT members may incidentally encounter data during administration. These incidental accesses are necessary for the continuous operation of IT systems and HMS IT and HUIT maintain the highest standards of privacy with respect to any incidental viewing of data.
As specified previously, HMS IT and HUIT may be required to turn specific data over to authorized individuals as part of a legal, research integrity, HR, or information security investigation. These data transfers are performed only when authorized by appropriate representatives of the respective groups and are governed by Harvard policy.
Metadata about system and network behavior
Certain types of network and system behavior are logged by the HMS intrusion detection system (IDS), and by the Harvard CrowdStrike service. These systems examine a variety of metadata, such as: source and destination IP address, Ethernet addresses, applications, system names, domain names, file names and path information, operating systems, platforms (PC, Mac, Linux), etc.
The HMS IT IDS analyses and alerts on suspicious network behavior that is consistent with cyber-attacks, malicious software, such as ransomware, and other forms of compromise. HMS IT monitors these systems to remediate any infected systems or to stop attacks against HMS systems. Similarly, the CrowdStrike Falconhost software that HMS and other Harvard schools install on laptops, desktops, and servers, sends metadata about application behavior to the CrowdStrike cloud for analysis. The results of the analysis are viewable to members of the Harvard Information Security community within the CrowdStrike Falcon console. Information Security Officers and Engineers have access to view devices based on detection status. Detection status is the likelihood that a system is infected with malware or compromised by a threat actor.
Access to the CrowdStrike console is limited to individuals whose role it is to protect Harvard systems from outside malicious attacks. Active monitoring of any potential threats is performed by the HUIT IT Security Operations team reporting to the University Associate Chief Information Security Officer. In the event of a credible threat, the respective school information security officer is notified. A decision is then made to “contain” the system. Containment locks a system down and restricts network access until the threat has been remediated. Once the system is remediated, it is removed from containment. Containment may only be turned on and off by HUIT IT Security Operations personnel.