Information which could cause risk of material harm to individuals or the University if disclosed. Click each Requirement to see associated How-Tos which will provide directions to comply with the Requirement.
U2: All passwords and other access credentials must be protected. They must never be stored in plaintext and must not be stored directly in scripts or configuration files.
U4: Passwords used on all systems for Harvard business should be of sufficient length and complexity to reasonably protect them from being guessed by humans or computers. Further, users must leverage multi-factor authentication (two-step verification) wherever supported. (Harvard systems behind HarvardKey authentication will meet our length, complexity, and multi-factor standards.)
U8: All devices (including desktops, laptops and mobile devices such as smartphones and tablets) storing or processing confidential information must meet Harvard device protection requirements.
U10: Information designated Level 3 or higher may only be used, stored or processed on servers or services (such as file sharing or collaboration services, file transfer systems, cloud-based backup and recovery services, etc.) that meet applicable Harvard data protection requirements.
U11: Information designated Level 4 or higher must not be stored on user computing devices, including portable computing devices such as laptops, smartphones, or tablets. Level 4 information may be stored on external encrypted portable storage media.
U15: All users of confidential Information must both acknowledge a confidentiality agreement and be appropriately trained. Information Security Awareness training for staff is available and required.
Note: Enforcement of configurations for personally-managed devices will be phased in, beginning with alerts of non-compliance and grace periods to resolve detected gaps. D1: All devices connecting to or installed on a non-guest Harvard network or authenticating to Harvard applications must be configured for secure operation, including non-default unique passwords/credentials that limit access to authorized individuals and services, proper registration of the device on the network, current and supported operating system (firmware and software), regular updates and...
D2: The information stored on the device must be protected against access if the device is lost, stolen, or recycled/reissued to another user. All mobile devices (laptops, mobile phones, etc.) and workstations that may be used to store or access Harvard information, including accessing Harvard email, must be securely configured, including encryption of data stored on the device, where this feature is supported.
D4: Client applications on the device which might be used to access or transfer confidential information must be configured to protect their communications.
P4: Any physical transfer of records must use means that are appropriately secure and such transfers must be tracked to confirm that they actually reached the intended recipient.
P5: Level 3 or 4 records can be faxed to a non-public fax machine only if arrangements have been made so that the intended recipient will take the copies off the machine immediately upon receipt.
V2. Written contracts including appropriate university riders must be executed with all vendors/other third parties who collect, process, host, or store information classified as Level 3 and above. ...
SA14: People responsible for the operation of servers must have the skills, experience and/or training needed to implement these requirements, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).
SA4: Communications between servers or applications must be protected, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).
SA7: Systems that manage user passwords and other access credentials must be designed in such a way that the passwords are not retrievable by administrators.