Harvard Management fine-tunes security

Harvard Management Co. may sound like the name of just another braintrust, but don’t be fooled: it’s the high-powered investment firm managing Harvard’s whopping $30 billion endowment.

About 170 investment professionals situated across three floors of Boston’s Federal Reserve building are busy on phone and computer-managing funds in everything from stocks to real estate, and making use of a network that connects into the Depository Trust and Clearing Corp., the international SWIFT banking network as well as a disaster-recovery facility connected by dark fiber several miles away.

“The trading volume runs between 200 to 400 trades per day, and the value is high,” says John Bergen, CIO in charge of the technology side. “Security is always a concern.”

Bergen said he wanted to get an objective view on how well Harvard Management was doing in terms of security, so he invited consultants from SystemExperts to review the firm’s operations and practices against the benchmark of the ISO 17799 standard. Harvard Management develops a lot of its Java-based applications internally and has wireless LANs providing office connectivity.

“It’s a way for us to learn about how to follow best practices,” Bergen says. The ISO 17799 standard is a sort of security health checkup based on 10 fundamental controls that range from business-continuity planning, system-access control, physical and environmental security, to security policy and compliance.

Bergen said the ISO 17799 review, which took place last spring over the course of more than a month and cost about $60,000, helped the four dozen technology professionals in Harvard Management’s IT group fine-tune their practices and procedures.

“The ISO 17799 showed us there were some things we weren’t doing that we should be doing,” Bergen said. “We didn’t have a written security to define specific things, such as how passwords should change. There were other things a well that pertain to us.”

The ISO 17799 review done by SystemExperts turned out to be very interactive, with Harvard Management providing written responses to questions and sessions on site to validate the answers.

“We use encryption with brokers when e-mailing someone, and they’d look to validate that,” Bergen said. “I’m not after an ISO certification to put on the wall. I’m more interested in knowing whether we’re thinking about the right things and doing them.”

Harvard Management, which recently hired a chief compliance officer to assist with making sure the firm is prepared for regulatory audits, learned the value of a well-documented security policy through the ISO 17799 review.

“We have to do documentation,” said Bergen, noting that means documenting a succession plan for every IT position so that if someone goes on vacation or otherwise departs, it’s clear who takes up the responsibilities.

“ISO 17799 is basically just a cheap form of insurance to reduce risk,” he said.