Glossary of Security Terms

Access Control Systems
Access Control Systems are systems that manage physical access to Harvard-owned properties, structures, or services.

Authorization
Permission to access resources in a digital domain (after positive authentication)

Authorization Proxy Service (AuthZProxy)
Service provided by Harvard that allows applications to check the status of users prior to allowing system access.

Back Doors

In traditional computer programming parlance, a "back door" is an entry point into a program that the programmer leaves himself in order to gain quick access without having to go through all the normal, built-in security checks. In theory, the back doors are taken out of the final release of the software, but history has shown that often they are not. In the current network climate, though, a back door is generally considered to be a program that has been placed on a computer (usually surreptitiously) that allows a remote user to gain and maintain complete administrative control over the computer - almost always without the knowledge of the computer's owner or primary user. The most famous and widespread examples of back door programs over the years have been SubSeven and Back Orifice, but there are many, many others, and new ones appear regularly. There are several ways that back doors can be placed on a computer (though, this can never be a truly complete list):
• Opening an infected e-mail attachment (they are often combined with viruses and worms)
• Exploiting a computer left vulnerable by a previous, existing virus infection
• Clicking on a URL to a malicious website that surreptitiously downloads the back door to the computer
• Exploiting a vulnerable, unpatched software application or operating system service (this is what happened with the famous Code Red exploits)
• Leaving the computer unattended and unsecured (no password-protected screen saver), so that the back door can be loaded directly from floppy disk, "thumb drive", CD-ROM, etc.
• Active FTP server on the computer (especially one that allows "anonymous" sessions)

Confidential Information

Information about a person or an entity that, if disclosed, could reasonably be expected to place the person or the entity at risk of criminal or civil liability, or to be damaging to financial standing, employability, reputation or other interests.

Harvard is bound by laws, such as FERPA and HIPAA, and by contracts, such as some grants and vendor contracts, to protect some types of confidential information. Additionally, Harvard, under University, School or unit policies, requires protection of other kinds of information about the University or Schools, faculties, departments and other units and about Harvard property (tangible or intangible). Confidential Information also includes High- Risk Confidential Information, as defined below, as well as other non-public personally identifiable information about individuals.

Nothing in Harvard’s policy on Confidential Information is intended to restrict or limit in any way employees’ rights to discuss terms and conditions of their employment with each other or with third parties.  Harvard’s policy is intended to protect Confidential Information, including confidential personnel information, from disclosure.

High-Risk Confidential Information (HRCI)
HRCI is personally identifiable information whose confidentiality is governed by law. High-Risk Confidential Information includes a person's name in conjunction with the person's Social Security, credit or debit card, individual financial account, driver's license, state ID, passport number or visa, or a name in conjunction with biometric information about the named individual. High-Risk Confidential Information also includes personally identifiable human subject information and medical information. Improper access to, use of or release of High-Risk Confidential Information may trigger legal reporting requirements. Such information is subject to legal requirements when being disposed of.

Examples
Examples of Confidential Information (in addition to HRCI) include the following: unpublished University financial information and development plans, salary information, employee benefits and other HR information (but employees may discuss terms and conditions of their employment, including salary and benefits, with each other or with third parties), grades and other non-directory education records, financial information about applicants, non-public personal and financial data about donors, Harvard identification numbers, information received under grants and contracts subject to confidentiality requirements, information on facilities security systems, unpublished research data, invention disclosures and patent applications, and information specifically designated as private or confidential.

Contract Rider
Text approved by Harvard counsel to be appended to Harvard contracts in which the vendor is working with Harvard confidential information. The contract riders specify the protections that must be implemented and the criteria that must be met in order for a vendor to work with Harvard confidential information.

De-Identified Data
Information that can be used to identify individuals either directly or indirectly must be removed. For information to be de-identified under HIPAA, 18 separate identifiers must be removed from the individual's record before that information can be considered de-identified. Covered entities have the option of stripping fewer identifiers from individual records but only if an expert with knowledge of statistical and scientific principles and methods assures that individuals will not be identifiable from the disclosed data or by comparison of the data with other sources of information.

De-Identified Research Data Set
A Research Data Set where all personal identifiers have been removed (and normally replaced by a random identity key) such that no personally identifiable data remains.

Encryption
The algorithmic transformation of a data set to an unrecognizable form using an encryption key. The original data set or any part thereof can be recovered only with knowledge of a secret decryption key.

FERPA
Family Educational Rights and Privacy Act; a federal law that requires protecting the privacy of student records.  Read the Family Educational Rights and Privacy Act. Read the U.S. government regulations about implementing FERPA.

FERPA Block
FERPA also gives a student the right to block public display of directory information. Schools are required to convey to students the information they classify as directory information, and to allow students and parents a reasonable amount of time to request that the School not disclose directory information about them. This request is referred to at Harvard as a FERPA block.

High Risk Confidential Information (HRCI)
High-Risk Confidential Information includes a person's name in conjunction with the person's Social Security, credit or debit card, individual financial account, driver's license, state ID, or passport number, or a name in conjunction with biometric information about the named individual. High-risk confidential information also includes human subject information and personally identifiable medical information. Improper access to or release of high-risk confidential information may be subject to legal reporting requirements. Such information is subject to legal requirements when being disposed of.

Identity Key
The code used in place of Personal Identifier(s) in a Research Data Set.

Identity-Mapping File
Data set that can be used to associate identity keys with individuals.

IRB Application
The research application submitted to the local IRB for review and approval.

Malware

Over the last several years, the term "malware" has come to be used to describe various kinds of malicious software written and engineered to compromise personal computers in a variety of methods. The four main categories of malware are: Viruses, Worms, "Trojans", "Back Doors", rootkits, Advanced Persistent Threats (APT)

Mass Email message (or Broadcast Email message)
Sending of an electronic communication to a campus-wide or ad hoc group of individuals across multiple schools or administrative units.

Limited Data Set
A limited data set contains more information about individuals than de-identified data. A limited data set permits use of some identifiable health information, while excluding direct identifiers. This type of disclosure requires a Data Use Agreement between the researcher and the covered entity that establishes the permitted uses and disclosures of the data set.

Non de-identified data set
Data set that contains personally identifiable data. Not all data sets can be reasonably de-identified (for example, an audio recorded interview in which a subject identifies him or herself, or a videotape that includes images of subject’s face). In this case, the data set must be considered a non de-identified data set.

Payment Card Industry Standards (PCI)
Any data elements within a data set that singly or in combination can uniquely identify an individual, such as a social security number, name, address, birth date, physical characteristics, demographic information (e.g. combining gender, race, occupation, and location), hospital-patient numbers) or history.

Personal identifiers
Any data elements within a data set that singly or in combination can uniquely identify an individual, such as a social security number, name, address, birth date, physical characteristics, demographic information (e.g. combining gender, race, occupation, and location), hospital-patient numbers) or history.

Personally identifiable data
Data that are associated with living persons, or that can be associated with living persons by deduction from personal identifiers in a data set.

Research Data Set
A body of data elements collected or used in the course of research.

RMAS
Risk Management and Audit Services, Harvard University's internal audit group.

Secure location
A place (room, file cabinet, etc.) to which only the Principal (or lead) investigator, and any specifically-approved other individuals, has access through lock and key. Either physical or electronic keys are acceptable.

Sensitive Data
Any data that can be linked to individual subjects involving medical information, personal financial information, social security numbers, and any information the disclosure of which outside the research could reasonably place the subjects at risk of criminal or civil liability or be damaging to the subjects' financial standing, employability, insurability or reputation. (Expanded from 45 CFR 46.101(b)(2)(ii).) Any data concerning Harvard students should be considered Sensitive Data.

University LDAP Enterprise Directory (Attribute Service)
Harvard's University LDAP directory acts as an official university attribute authority. It contains profile data about HUID holders, and to a much lesser extent, for XID holders.

University PIN system (Authentication Service)
Provides authentication services for populations that hold Harvard ID numbers (students, faculty, staff, some affiliates)

Viruses

In their simplest form, viruses are individual programs that, when placed on a target computer in such a way that they are subsequently executed (thus "infecting" the computer) can produce results ranging from the innocuous placement of a "test" file to complete deletion of data and reformatting the hard drive. Not all viruses are malicious - some are written by "white hat" programmers as tests to help discover vulnerabilities and remove or strengthen them. There are many "families" of viruses with variations or strains that have been around for many years, and new viruses appear almost daily. To combat viruses, it is essential to install anti-virus software and update it frequently.

Worms

Technically speaking, worms are programs whose sole purpose is to replicate and spread themselves to other computers. Some programmers write them with no other purpose or intent than to see how far they will spread, and in many cases there is no actual payload or threat from a worm. However, in recent years, worms have been used as the vehicle by which viruses are primarily spread. Commonly, once a computer has been infected by a virus/worm (usually by opening an infected e-mail attachment), the virus component will set up and begin running an SMTP mail server, and the worm component will begin to replicate the virus/worm and e-mail it to addresses found in the computer's e-mail address book (this most frequently occurs with computers using Microsoft Outlook), with the "From:" header also taken from the address book.

XID system (integrated with University PIN System)
Allows non Harvard ID holders to register for this other type of ID number that can be used for authentication with University PIN-enabled applications