U8: All devices (including desktops, laptops and mobile devices such as smartphones and tablets) storing or processing confidential information must meet Harvard device protection requirements.
See User Device Requirements.
SA9: Operating system and application patches must be current.
SA5: Default passwords must be changed and generic accounts must be disabled or removed before the server or application is put into use.
SC1: Servers must not be directly accessible from the Internet or from parts of the Harvard network where there are user computers.
SB3: A mechanism must be used to force re-authentication to user accounts after an idle period.
SB5: Servers must be protected from improper network-based access.
SC4: Outbound traffic from servers must be limited to that required to properly operate the service.
SC2: Servers with Level 4 information must be on private address space.
SC3: Server operators must take reasonable actions on a regular basis to ensure that their systems are not vulnerable to attack.
SB6: Confidential information on servers and backup media must be protected against access in the case of physical theft or loss.