Level 2

Server operators

SA14: People responsible for the operation of servers must have the skills, experience and/or training needed to implement these requirements, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).

Credit Card Transactions

U16: All users handling credit or debit card transactions must comply with University Cash Management requirements.

No Level 4 On Devices

U11: Information designated Level 4 or higher must not be stored on user computing devices, including portable computing devices such as laptops, smartphones, or tablets. Level 4 information may be stored on external encrypted portable storage media.

Level 3 On Systems

U10: Information designated Level 3 or higher may only be used, stored or processed on servers or services (such as file sharing or collaboration services, file transfer systems, cloud-based backup and recovery services, etc.) that meet applicable Harvard data protection requirements.

Level 3 On Devices

U9: Information designated Level 3 must not be stored on user devices, or portable media, unless the device or media is encrypted.

Strong Passwords

U4: Passwords used on all systems for Harvard business should be of sufficient length and complexity to reasonably protect them from being guessed by humans or computers. (Harvard systems behind HarvardKey authentication will meet our length and complexity standards.)

Different Passwords

U3: Different passwords must be used for Harvard and non-Harvard accounts.