4. All access to systems handling Harvard confidential information must be for authorized Harvard purposes.

For Servers

Access logs

SC6: Logs of user and administrator access to servers and applications must be securely maintained on a remote computer.

Appropriate user access

SA6: Users must only be permitted to access a server or application after their current business need for access has been established.

Logging access

SB7: User and administrator access to servers and applications must be logged.

Permitted access

SC5: The business application owner for applications dealing with Level 4 information must designate which employees have permission to access level 4 information about others from outside the Harvard wired or other Harvard strongly authenticated and encrypted wireless network.