Level 4

Information which would likely cause serious harm to individuals or the University if disclosed. Click on a Requirement for more detailed instructions on how to implement the Requirement.

No Shared Passwords

U1: Users’ passwords and other access credentials must never be shared.

Protect Passwords

U2: All passwords and other access credentials must be protected.

Different Passwords

U3: Different passwords must be used for Harvard and non-Harvard accounts.

Strong Passwords

U4: Passwords used on all systems for Harvard business should be of sufficient length and complexity to reasonably protect them from being guessed by humans or computers. (Most Harvard systems enforce length and complexity standards.)

Protecting Devices

U8: All devices (including desktops, laptops and mobile devices such as smartphones and tablets) storing or processing confidential information must meet Harvard device protection requirements.

See User Device Requirements.

Level 3 On Systems

U10: Information designated Level 3 or higher may only be used, stored or processed on servers or services (such as file sharing or collaboration services, cloud-based email services, cloud-based backup and recovery services, etc.) that meet applicable Harvard data protection requirements.

No Level 4 On Devices

U11: Information designated Level 4 or higher must not be stored on user computing devices, including portable computing devices such as laptops, smartphones, or tablets. Level 4 information may be stored on external encrypted portable storage media.

Loss of confidential information

U14: Any actual or suspected loss, theft, or improper use of or access to confidential information must be reported promptly.

Credit Card Transactions

U16: All users handling credit or debit card transactions must comply with University Cash Management requirements.

Limiting Access

P1: Access must be limited to those persons with valid business reasons to access the records.

Logging Access

P3: All access to records containing Level 4 data other than access for ordinary business purposes must be logged.

Transferring Records

P4: Any physical transfer of records must use means that are appropriately secure and such transfers must be tracked to confirm that they actually reached the intended recipient.

Coordinating Faxes

P5: Level 3 or 4 records can be faxed to a non-public fax machine only if arrangements have been made so that the intended recipient will take the copies off the machine immediately upon receipt.

Destroying Records

P6: Destruction of records must be accomplished by means that make it impossible to reconstruct the records.

Contract language

V2: Contracts with vendors managing Level 3 or Level 4 information must contain specific confidentiality language approved by the Office of General Counsel (OGC), or be reviewed by the OGC. Find out more about appropriate Contract Riders for Vendors.

Level 4 vendors

V3: The security design, policies, and procedures of vendors and parties who will collect, process, host or store Level 4 information must be reviewed by a University Information Security Officer. Find out more about appropriate Contract Riders for Vendors.

Application owner and classification level

SA1: Server operators must be able to identify a responsible party, known as the business application owner, for each application on the server and the data classification level of the information that the application stores and processes.

Complex passwords

SA2: Servers and applications that manage passwords must force the setting of a complex password. This must meet the following requirements where technically feasible (consult the Security office if the following requirements are not technically feasible):

Server communication

SA3: Communications between servers or applications and client machines must be protected. 

Appropriate user access

SA6: Users must only be permitted to access a server or application after their current business need for access has been established.

Stored passwords

SA7: Systems that manage user passwords must be designed in such a way that the passwords are not retrievable by administrators.

Password Management

SA8: Mechanisms for users to set or change passwords must be secure. Systems that manage passwords must be configured securely. Storage and management of passwords requires L4 security.

Current patches

SA9: Operating system and application patches must be current.

Malware detection

SA10: Servers must be running applicable malware detection software with up-to-date signature files.

No shared accounts

SA11: Server operators must not knowingly permit shared user account credentials.

Highest classification

SA13: Servers storing or processing information belonging to more than one classification must meet the requirements associated with the highest classification.

Server operators

SA14: People responsible for the operation of servers must have the skills, experience and/or training needed to implement these requirements.

Password guessing

SB2: Servers or applications must implement a mechanism that inhibits password guessing attacks on user accounts if the server or application does its own authentication.

Idle sessions

SB3: A mechanism must be used to force re-authentication to user accounts after an idle period.

Improper access

SB5: Servers must be protected from improper network-based access.

Theft or loss

SB6: Confidential information on servers and backup media must be protected against access in the case of physical theft or loss.

Logging access

SB7: User and administrator access to servers and applications must be logged.

Reviewing logs

SB9: The logs must periodically be reviewed for anomalous behavior.

  •  
  • 1 of 2
  • »

Protect identifiable records with Social Security Numbers according to Level 4 requirements

SSN1: All records compiled or maintained by or for Harvard that contain full SSNs plus other information that can connect the record to an individual (e.g. date of birth, phone number, address, etc.), wherever located and whatever the format, are High Risk Confidential Information and must satisfy the applicable processing and protection requirements for Level 4 data.

Compile and maintain identifiable records with Social Security Numbers only when required by law

SSN2: New collection processes or new research grants effective on or after July 1, 2017: Identifiable records containing full SSNs may be compiled and maintained only to comply with a specific legal requirement. Full SSNs plus identifiable information may only be used or printed in documents where it is legally required. Identifiable records with full SSNs may not be compiled or maintained if there is no legal requirement for that specific data.

Dispose of or archive identifiable records with full Social Security Numbers securely when retention no longer required by law

SSN3: When no longer required by law or for the business purpose approved through the exception process, electronic or printed identifiable records containing full SSNs and not subject to a legal hold must be properly disposed of so that the information cannot be retrieved or reassembled.

Report location and volumes of identifiable records with full Social Security Numbers annually

SSN4: The Harvard “business owner” of any records containing identifiable records with full SSNs, whether electronic or paper, stored by the Harvard unit or by a vendor, must annually report that there are such records and describe the system or systems on which they are maintained, the retention schedule, the location of the system(s), and the approximate number of such records containing full SSNs.