8. All servers storing Harvard confidential information must be protected against improper access.

Current patches

SA9: Operating system and application patches must be current.

External access

SC1: Servers must not be directly accessible from the Internet or from parts of the Harvard network where there are user computers.

Idle sessions

SB3: A mechanism must be used to force re-authentication to user accounts after an idle period.

Improper access

SB5: Servers must be protected from improper network-based access.

Outbound traffic

SC4: Outbound traffic from servers must be limited to that required to properly operate the service.

Server vulnerability

SC3: Server operators must take reasonable actions on a regular basis to ensure that their systems are not vulnerable to attack.

Theft or loss

SB6: Confidential information on servers and backup media must be protected against access in the case of physical theft or loss.