Security assessments

• Objective – Identify vulnerabilities in systems and software to ensure security.
• Scope – Regular assessments of both systems and web applications.

HMS Information Security schedules regular vulnerability scans that categorize threats based on their criticality. This ensures timely patches and remediation.

• Objective – Review and approve vendors' security postures.
• Scope – Any vendor accessing, storing, or processing HMS data.

You can engage with HMS Information Security by emailing iso@hms.harvard.edu to initiate vendor security reviews. The process entails:

1. Receiving a business unit request.
2. Procuring and examining vendors' security controls.
3. Reviewing vendors' policy and governance documentation.
4. Data classification using Harvard standards.
5. Sending and reviewing the data classification worksheet with the vendor.
6. Conveying the final assessment to the requesting business unit.

Ensure a contract with the vendor exists and has been reviewed by the Harvard Office of General Counsel.

• Objective – Identify vulnerabilities in web applications.
• Scope – Applications before production and periodic reviews.

Before being introduced and during their lifecycle, web applications must be screened for potential threats. HMS Information Security collaborates with developers to rectify any found vulnerabilities.

Given the invasive nature of these scans, it's recommended:

• To back up site content and databases.
• Turn off email forms.
• Supply authentication credentials if applicable.

For third-party hosted applications, notify the provider before a scan. To arrange a scan, reach out to HMS Information Security.

• Objective – Review and meet diverse security requirements.
• Scope –  Collaboration with Harvard Longwood Medical Area IRB and HMS Sponsored Programs.

HMS Information Security collaborates with several Harvard divisions to guarantee data security compliance in research, considering institutional policies and legal prerequisites.