6. All users of Harvard confidential information resources must be accurately and individually identified.

No Shared Passwords

U1: Users’ passwords and other access credentials must never be shared.

Configuring User Devices

D1: All user devices must be configured for secure operation. The device must be configured to limit access to the specific person or persons authorized to use the device.

Central Authentication Services

SB12: Servers or applications handling data classified as L3 or higher, whether managed directly by Harvard or a contracted vendor (e.g. SaaS), must use a centrally-managed Harvard authentication system where feasible, e.g. HarvardKey or HUIT Active Directory, or an authentication system approved by the School or University CIO.

Malware detection

SA10: Servers must be running applicable malware detection software with up-to-date signature files.

Stored passwords

SA7: Systems that manage user passwords must be designed in such a way that the passwords are not retrievable by administrators.