U1: Users’ passwords and other access credentials must never be shared.

U2: All passwords and other access credentials must be protected. They must never be stored in plaintext and must not be stored directly in scripts or configuration files.

U3: Different passwords must be used for Harvard and non-Harvard accounts.

U4: Passwords used on all systems for Harvard business should be of sufficient length and complexity to reasonably protect them from being guessed by humans or computers. Further, users must leverage multi-factor authentication (two-step verification) wherever supported. (Harvard systems behind HarvardKey authentication will meet our length, complexity, and multi-factor standards.)

U5: Passwords must be changed immediately if there is suspicion of compromise.

U6: Confidential information must only be accessed for authorized purposes.

U7: Confidential information (Level 2+) must only be shared with those authorized to receive it. 

U8: All devices (including desktops, laptops and mobile devices such as smartphones and tablets) storing or processing confidential information must meet Harvard device protection requirements.

See User Device Requirements.

U9: Information designated Level 3 must not be stored on user devices, or portable media, unless the device or media is encrypted.

U10: Information designated Level 3 or higher may only be used, stored or processed on servers or services (such as file sharing or collaboration services, file transfer systems, cloud-based backup and recovery services, etc.) that meet applicable Harvard data protection requirements.

U11: Information designated Level 4 or higher must not be stored on user computing devices, including portable computing devices such as laptops, smartphones, or tablets. Level 4 information may be stored on external encrypted portable storage media.

U12: Confidential information in any form must be appropriately protected.

U13: Confidential information in any form must be appropriately disposed of when it is no longer needed.

U14: Any actual or suspected loss, theft, or improper use of or access to confidential information must be reported promptly.

U15: All users of confidential Information must both acknowledge a confidentiality agreement and be appropriately trained. Information Security Awareness training for staff is available and required.

U16: All users handling credit or debit card transactions must comply with University Cash Management requirements.

All devices must be configured for secure storage, transport, and disposal of confidential information.

Note: Enforcement of configurations for personally-managed devices will be phased in, beginning with alerts of non-compliance and grace periods to resolve detected gaps.
D1: All devices connecting to or installed on a non-guest Harvard network or authenticating to Harvard applications must be configured for secure operation, including non-default unique passwords/credentials that limit access to authorized individuals and services, proper registration of the device on the network, current and supported operating system (firmware and software), regular updates and...

D2: The information stored on the device must be protected against access if the device is lost, stolen, or recycled/reissued to another user. All mobile devices (laptops, mobile phones, etc.) and workstations that may be used to store or access Harvard information, including accessing Harvard email, must be securely configured, including encryption of data stored on the device, where this feature is supported.

D3: Operating system and application patches must be applied promptly.

D4: Client applications on the device which might be used to access or transfer confidential information must be configured to protect their communications.

D5: The information stored on the device must be protected against access when the device is disposed of.

D6: Any actual or suspected loss, theft, or improper use of a device storing confidential information must be reported promptly.

D7: Anyone deploying or using a mobile device management system other than Microsoft ActiveSync must contact the University Security Office.

P1: Access must be limited to those persons with valid business reasons to access the records.

P2: Records must be locked up when not in active use.

P4: Any physical transfer of records must use means that are appropriately secure and such transfers must be tracked to confirm that they actually reached the intended recipient.

P5: Level 3 or 4 records can be faxed to a non-public fax machine only if arrangements have been made so that the intended recipient will take the copies off the machine immediately upon receipt.

P6: Destruction of records must be accomplished by means that make it impossible to reconstruct the records.

V1. Written contracts and appropriate riders must be executed with all vendors and other third parties who have access to Harvard non-public systems.

V2. Written contracts including appropriate university riders must be executed with all vendors/other third parties who collect, process, host, or store information classified as Level 3 and above.   ...

SB12. Servers or applications, whether managed directly by Harvard or via contract with a third-party service provider for Harvard's use (...

SB2: Servers or applications must implement a mechanism that inhibits password guessing attacks on user accounts if the server or application does its own authentication, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).

SB8: Administrative functions on servers and applications must be logged, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).

SA1: Server operators must be able to identify a responsible party, known as the business application owner, for each application on the server and the data classification level of the information that the application stores and processes.

SA6: Users must only be permitted to access a server or application after their current business need for access has been established, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).

SB12. Servers or applications, whether managed directly by Harvard or via contract with a third-party service provider for Harvard's use (...

SA2: Servers and applications that manage passwords must force the setting of a complex password. Further, they must enforce multi-factor authentication where technically possible. Complexity and reset frequency must meet the following requirements where technically feasible (consult the Security office if the following requirements are not technically feasible):... Read more about Complex passwords

SA9: Operating system and application patches must be current and supported by the vendor or Open Source project, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).

SA5: Default passwords must be changed and generic accounts must be disabled or removed before the server or application is put into use, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).          

SA13: Servers storing or processing information belonging to more than one classification must meet the requirements associated with the highest classification, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).

SB3: A mechanism must be used to force re-authentication to user accounts after an idle period, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).

SB5: Servers must be protected from improper network-based access, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).

SC10: Logs required by the Harvard Information Security Policy must be retained for a minimum of 90 days, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's...

SB7: User and administrator access to servers and applications must be logged, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).

SA10: All servers must run malware detection and endpoint detection and response software with up-to-date signature files, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).

SA11: Server operators must not knowingly permit shared user account credentials, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).

SA8: Mechanisms for users to set or change passwords must be secure. Systems that manage passwords must be configured securely. Storage and management of passwords requires L4 security.

SB10: Server and application operators must promptly inform the appropriate escalation contacts of any possible breaches, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).

SB9: The logs must periodically be reviewed for anomalous behavior, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).

SB11: Information designated level 3 or 4 must be properly disposed of by securely overwriting the information or physically destroying the media when no longer needed, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).

SA3: Communications between servers or applications and client machines must be protected, whether these servers are managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).