Harvard-MIT Data Center

Information stored on a computer system or sent electronically over a network is the property of the individual who created it. Systems administrators, however, may gain access to users' data or programs when it is necessary to maintain or prevent damage to systems or to ensure compliance with other University rules.

We train our systems administrators with care. We limit all system administration privileges, including the ability to access files, to those administrators who are required to perform maintenance and recovery of the systems for which they are responsible.

We abide by the Faculty of Arts and Sciences (FAS) policies on computer rules and responsibilities, and our users should read and follow these as well. These rules specify that individuals who are provided access to University computer facilities and to the campus-wide communication network assume responsibility for their appropriate use. The University expects individuals to be careful, honest, responsible, and civil in the use of computers and networks.

As system administrators, we also follow the SAGE (System Administrators Guild) expanded code of ethics. This requires system administrators to strive to:

1. Treat everyone fairly.
2. Maintain user privacy and confidentiality.
3. Keep users informed about computing matters that may affect them.
4. Ensure the integrity of the systems.
5. Cooperate with computing professionals.
6. Be honest about their competence.
7. Continue to educate themselves.
8. Enlarge their understanding of social and legal issues that arise in computing environments.
9. Maintain safe, healthy and productive workplace for all users.
10. Maintain a consistently high ethical standard and degree of professionalism in the performance of all duties.

We ask you to read and follow the the FAS policies on computer rules and responsibilities.

In addition:

1. On shared systems, additional information on the use of the system may be intercepted, recorded, audited, inspected, and disclosed to authorized site and law enforcement personnel.
2. If you obtain data from us, you may not redistribute it without written permission. If your affiliation lapses, you must destroy or return any data you obtained from us. You must also abide by any additional restrictions imposed by the data provider, as described by any licenses accompanying the data.
3. If you obtain a login account from or through us, you may not share it with others.
4. Users of public computer labs are expected to:
   • Keep their area tidy in general, and to remove belongings when not logged in to the system.
   • Log out when leaving the lab area for more than a few minutes, but not to reboot or shut down the systems when doing so.
   • Refrain from food, beverages, and smoking.
   • Leave the lab area locked if it was locked when you entered.
   • Be quiet and considerate of others.
   • Refrain from removing documentation or manuals from the lab.
   • Yield to those doing higher priority work (required coursework is higher priority than general work which is higher priority than games and recreation).

Waiver: You recognize that systems and networks are imperfect, and waive any responsibility for lost work or time that might arise from their use. Our staff cannot compensate you for degradation or loss of personal data, software, or hardware as a result of your use of University-owned systems, software, or networks, or as a result of assistance you might seek from our staff.

By using HMDC facilities and services you consent to these policies.

It is the responsibility of IQSS staff and affiliates to be aware of University rules governing the collection, storage, transport, use, and disposal of confidential information, and to follow these rules. Below is a brief summary of these policies, with links to the full details.

Types of Confidential Information

There are two types of confidential information currently recognized at the University:

• High Risk Confidential Information (HRCI)
  This is data containing a person’s name and state, federal, or financial identifiers.
  Or, research data containing private sensitive information about identifiable individuals.
• Harvard Confidential Information (HCI)
  Business information specifically designated by the School as confidential.
  Or, identifiable business information that puts individuals at risk if disclosed.
  Or, research data containing private information about identifiable individuals.
  Or, student records (such as collections of grades, correspondence).

Harvard and IQSS staff and affiliates are responsible for information that they store, access, or share. These responsibilities include:

• Encrypting all laptops, portable storage, and network connections used with confidential information.
• Protecting systems you use to access confidential information through the use of firewalls, virus scanners, and regular software updates.
• Using individual accounts, not sharing account information, and choosing strong passwords.
• Protecting Harvard information and systems, and complying with specific the policies and procedures for use of those systems.
• Attaching only approved devices to the Harvard network.
• Disposing safely of confidential information through the use of approved, secure file-deletion and disk-cleaning tools
• Not sharing confidential information with people who are not approved to access it.

Approvals

All access to confidential information requires approval and a business or research need. In addition:

• Access to HRCI business information or HCI business information specifically designated by the School as confidential requires individual approval by the Director of Security for that school.
• Access to HRCI research information requires individual approval by the Principal Investigator of the research project managing such information. In addition, it is the responsibility of the Principal Investigator to delegate access in a manner consistent with an IRB-approved research plan.

More Information

For more information see the following resources:

• Harvard Information Security and Privacy web site:
  www.security.harvard.edu
• Harvard Enterprise Security Policy:
  www.security.harvard.edu/enterprise-security-policy
• Harvard policies on human subjects research:
  www.fas.harvard.edu/~research/hum_sub/
• Harvard personnel manual section on information privacy and confidentiality:
  harvie.harvard.edu/docroot/standalone/Policies_Contracts/Staff_Personnel_Manual/Section2/Privacy.shtml
• FAS information security policies and procedures:
  www.fas-it.fas.harvard.edu/services/catalog/browse/39

HMDC/IQSS IT support treats user data as private, but recognizes the need to access data or programs when necessary to maintain systems, consistent with the FAS Computer Rules and Responsibilities, section I, Privacy of Information[1]:

"Information stored on a computer system or sent electronically over a network is the property of the individual who created it. Examination, collection, or dissemination of that information without authorization from the owner is a violation of the owner's rights to control his or her own property. Systems administrators, however, may gain access to users data or programs when it is necessary to maintain or prevent damage to systems or to ensure compliance with other University rules. "

Further, consistent with section II, HMDC/IQSS IT system activity is logged automatically:

"Users understand that timesharing and network-based system activity is automatically logged on a continuous basis. These logs do not include private user text, mail contents, or personal data, but do include a record of user processes that may be examined by authorized system administrators."

and

"The staff of FAS IT consider user accounts to be the private property of individuals who have opened them, and as a result will never ask users to reveal their passwords. However, users who request assistance from FAS IT give the staff implicit permission to view specific data in their accounts that is necessary to investigate, diagnose, or correct the problem."

Similarly, IQSS/HMDC users give HMDC/IQSS IT staff implicit permission to view specific data in their accounts that is necessary to investigate, diagnose or correct a current problem.

HMDC/IQSS IT staff will use minimally invasive means necessary to diagnose and correct reported problems. For example:

• HMDC/IQSS IT staff will never ask users for their passwords.
• HMDC/IQSS IT staff will not use user credentials to access non HMDC/IQSS accounts or files, unless specifically requested by the user in writing.
• HMDC/IQSS IT staff will use pattern matching tools (for example, grep) rather than viewing the content of files that potentially are personal or confidential, wherever feasible; and only when necessary to diagnose or correct reported problems.
• HMDC/IQSS IT staff will never view the content of files identified as HRCI unless authorized explicitly in writing by the FAS Director of Security, and/or IRB-authorized faculty.

[1] Available at http://www.fas-it.fas.harvard.edu/services/facultyStaff/policies/rules_and_responsibilities#privacy.

By use of HMDC electronic mail services (accounts, webmail, mailing lists, and more), you agree to abide by the responsibilities and rules of HMDC, FAS and Harvard University, as well as the rules and regulations of your particular internet service provider (ISP), if not connecting from Harvard. If you have any questions about these policies, please contact us or your ISP for clarification.

General Guidelines

HMDC provides electronic mail services to certain members and affiliates of the Harvard community. All such users have the responsibility to use our services in an efficient, ethical, and legal manner in accordance with our policies. HMDC has the right to terminate access to electronic mail services if a user is determined to have violated said policies. Access to such services is limited to authorized users and cannot be shared to other users without expressed consent from HMDC and your departmental administration unit. Users should not use any accounts assigned to other individuals.

While HMDC electronic mail services operate and are monitored 24 hours per day/7 days per week, we cannot guarantee the availability of services at all times. HMDC will make a best attempt to work expediently when solving service delays or outages. The security of passwords and backup of data are the responsibilities of individual users, not HMDC. Users recognize that electronic mail services are imperfect and waive any responsibility for lost work or time that may arise from their use. The staff at HMDC cannot compensate users for degradation or loss of personal data as a result of use of our electronic mail services, or as a result of assistance they may seek from HMDC IT staff.

HMDC neither sanctions nor censors individual expression of opinion on our electronic mail services. The same standards of behavior, however, are expected in the use of electronic mail as in the use of telephones and written and oral communication. Electronic mail messages must not misrepresent the identity of the sender and should not be sent as chain letters or broadcast indiscriminately to large numbers of individuals. This prohibition includes unauthorized mass electronic mailings. Electronic mail on a given topic that is sent to large numbers of recipients should be directed only to those who have indicated a willingness to receive such mail.

Under federal copyright law, no copyrighted work may be copied, published, disseminated, displayed, performed, or played without permission of the copyright holder. HMDC may terminate the electronic mail services of users who are found to have repeatedly infringed the copyrights of others. Users understand that electronic mail activity is automatically logged on a continuous basis. These logs include a record of user addresses and processes that may be examined by HMDC.

HMDC considers email messages and other electronic documents stored on Harvard-owned computers to be confidential, and will not access them, except in the following circumstances:

1. IT staff may need access to electronic records in order to ensure proper functioning of our computer infrastructure. In performing these services, IT staff members are required to handle private information in a professional and appropriate manner, in accordance with the Harvard Personnel Manual for Administrative and Professional Staff. The failure to do so constitutes grounds for disciplinary action.

2. In extraordinary circumstances such as legal proceedings and internal Harvard investigations, electronic records may be accessed and copied by the administration. Such review requires the approval of the Dean (of School) and the Office of the General Counsel.

Accounts

Requested accounts will be created within a reasonable timeframe after receipt of all requested information. All accounts will be created with the login id of firstinitial+lastname (unless the combination is already in use, in which case, more letters of your first name or your middle initial if provided will be used). Requests to use an abbreviated version of your last name must be made at the time of account creation. All electronic mail accounts will be login id@latte.harvard.edu, unless the department has requested a separate domain for its users (such as loginid@wcfia.harvard.edu). Departmental administrators and faculty may request special account names for specific job positions (such as faculty assistant, front receptionist, or others) if it is anticipated that the position will be filled by temporary employees or will have high turnover.

A default password is created and sent when account creation occurs. Users are expected to change the account password for security reasons. HMDC recommends that all passwords are at least 8 characters in length; have at least one lower-case letter, one upper-case letter, one number and one special symbol character; and are not easily recognizable. Users may change their password under the Account Manager icon in Webmail (https://webmail.hmdc.harvard.edu). HMDC cannot recover forgotten account passwords, but can reset account passwords upon request and verification of identity.

The storage quota for each electronic mail account defaults to enough space for approximately 80,000 plain text messages. Users who need additional storage may request additional space, subject to HMDC approval. Users are responsible for watching the quota used for their accounts. Once an account is at the quota limit, all incoming mail will bounce back to the sender with the error 'Mailbox Full'. HMDC cannot recover messages that are bounced in this manner.

Access and Features

HMDC electronic mail service allows POP, IMAP and web-based connectivity via HMDC Webmail (https://webmail.hmdc.harvard.edu) to mail accounts. The HMDC mail server will support secure (SSL) connections if desired. HMDC does not provide desktop mail client support for departments; unless the department has a desktop support agreement and only for supported electronic mail applications (see Desktop Support Policies for further details).

All incoming messages are scanned for potential viruses. Any incoming message that is found to contain a virus is bounced back to the sender with a virus warning. Intended recipients will not receive any notification of this event. HMDC cannot prevent all computer viruses sent via electronic mail. Users should practice proper virus prevention procedures, such as deleting unsolicited mail, leave attachments from unknown users unopened, and installing a desktop virus prevention software package. HMDC is not responsible for damages caused by electronic mail viruses.

All incoming messages are scanned for SPAM (unsolicited, junk electronic messages). Each message is compared to a database of known SPAM attributes and assigned point values for each contained attribute. Once a message reaches a certain point threshold, the text SPAM is added to the beginning of the subject line and delivered to the recipient. HMDC cannot guarantee all incoming messages will be properly identified as SPAM or non-SPAM.

HMDC provides vacation messaging and account forwarding for all electronic mail accounts. Users are responsible for activation/deactivation of vacation messaging and/or account forwarding for their account. HMDC is not responsible for lost messages due to improper settings. A personal account will be deleted when a person is no longer covered under a HMDC electronic mail service agreement. Account extensions requests are approved only by the departmental administrator with HMDC and must be arranged before the account has been terminated. Once an account has been deleted, all mail forwarding will cease and messages sent to that account will bounce back to sender.

Mailing Lists

All staff and faculty from departments with an electronic mail services agreement with HMDC may apply for a mailing list. All requested information must be complete before a new mailing list will be created. For mailing lists intended for departments (or sub-departments), approval from the departmental administrator is required.

All mailing lists must have at least one designated person to administer the list. The list administrator is responsible for adding and removing addresses from the list, as well as any other list duties including moderation of messages. The list administrator is responsible for setting all list parameters, including archival settings. HMDC does not provide any list maintenance services for users.

All mailing lists are subject to the same rules and regulations of any electronic messages sent from the HMDC mail servers. HMDC reserves the right to remove any list recipient or mailing list.

All users of our accounts and public machines agree to abide by all rules and regulations enumerated by our personnel, which can be communicated to you via written, email, publically posted, or verbal communcations. These rules specify that individuals who are provided access to University computer facilities and to the campus-wide communication network assume responsibility for their appropriate use. The University expects individuals to be careful, honest, responsible, and civil in the use of computers and networks.

In addition:

• On shared systems, additional information on the use of the system may be intercepted, recorded, audited, inspected, and disclosed to authorized site and law enforcement personnel.
• If you obtain data from us, you may not redistribute it without written permission. If your affiliation lapses, you must destroy or return any data you obtained from us. You must also abide by any additional restrictions imposed by the data provider, as described by any licenses accompanying the data.
• If you obtain a login account from or through us, you may not share it with others.

Users of public computer labs are expected to:

• Keep their area tidy in general, and to remove belongings when not logged in to the system
• Refrain from food and beverages
• Be quiet and considerate of others
• Refrain from removing documentation or manuals from the lab

Waiver

Users recognize that systems and networks are imperfect and waive any responsibility for lost work or time that may arise from their use. Our staff cannot compensate users for degradation or loss of personal data, software, or hardware as a result of their use of University-owned systems, software, or networks, or as a result of assistance they may seek from our staff.

By using our facilities and services the user consents to the above policies, as well as FAS and UIS policies.

Faculty of Arts and Sciences (FAS) IT Rules and Regulations

For faculty and staff:
    http://www.fas-it.fas.harvard.edu/services/facultyStaff/policies/rules_a...

For students:
    http://www.fas-it.fas.harvard.edu/services/student/policies/rules_and_re...

University Information Systems (UIS) IT Rules and Regulations

For all Harvard persons:
    http://www.universitycio.harvard.edu/information_technology_policies/