For Everyone

These Information Security Requirements apply to everyone at Harvard. They provide additional detail on how to be compliant with Policy and should be used as a normal part of daily life at Harvard in order to keep both Harvard confidential data and your own personal information secure.

No Shared Passwords

U1: Users’ passwords and other access credentials must never be shared.

Protect Passwords

U2: All passwords and other access credentials must be protected.

Different Passwords

U3: Different passwords must be used for Harvard and non-Harvard accounts.

Strong Passwords

U4: Passwords used on all systems for Harvard business should be of sufficient length and complexity to reasonably protect them from being guessed by humans or computers. (Most Harvard systems enforce length and complexity standards.)

Protecting Devices

U8: All devices (including desktops, laptops and mobile devices such as smartphones and tablets) storing or processing confidential information must meet Harvard device protection requirements.

See User Device Requirements.

Level 3 On Devices

U9: Information designated Level 3 must not be stored on user devices, or portable media, unless the device or media is encrypted.

Level 3 On Systems

U10: Information designated Level 3 or higher may only be used, stored or processed on servers or services (such as file sharing or collaboration services, cloud-based email services, cloud-based backup and recovery services, etc.) that meet applicable Harvard data protection requirements.

No Level 4 On Devices

U11: Information designated Level 4 or higher must not be stored on user computing devices, including portable computing devices such as laptops, smartphones, or tablets. Level 4 information may be stored on external encrypted portable storage media.

Loss of confidential information

U14: Any actual or suspected loss, theft, or improper use of or access to confidential information must be reported promptly.

Credit Card Transactions

U16: All users handling credit or debit card transactions must comply with University Cash Management requirements.

Configuring User Devices

D1: All user devices must be configured for secure operation. The device must be configured to limit access to the specific person or persons authorized to use the device.

Lost Devices

D2: The information stored on the device must be protected against access if the device is lost or stolen. All mobile devices (laptops, mobile phones, etc.) that may be used to store or access Harvard information, including accessing Harvard email, must be securely configured, including encryption.

Applying Patches

D3: Operating system and application patches must be applied promptly.

Configuring Applications

D4: Client applications on the device which might be used to access or transfer confidential information must be configured to protect their communications.

Disposing of Devices

D5: The information stored on the device must be protected against access when the device is disposed of.

Reporting Lost Device

D6: Any actual or suspected loss, theft, or improper use of a device storing confidential information must be reported promptly.

Device Management Systems

D7: Anyone deploying or using a device management system other than Blackberry Enterprise Server or Microsoft ActiveSync must contact the University Security Office.

Limiting Access

P1: Access must be limited to those persons with valid business reasons to access the records.

Logging Access

P3: All access to records containing Level 4 data other than access for ordinary business purposes must be logged.

Transferring Records

P4: Any physical transfer of records must use means that are appropriately secure and such transfers must be tracked to confirm that they actually reached the intended recipient.

Coordinating Faxes

P5: Level 3 or 4 records can be faxed to a non-public fax machine only if arrangements have been made so that the intended recipient will take the copies off the machine immediately upon receipt.

Destroying Records

P6: Destruction of records must be accomplished by means that make it impossible to reconstruct the records.