Level 2

Strong Passwords

U4: Passwords used on all systems for Harvard business should be of sufficient length and complexity to reasonably protect them from being guessed by humans or computers. Further, users must leverage multi-factor authentication (two-step verification) wherever supported. (Harvard systems behind HarvardKey authentication will meet our length, complexity, and multi-factor standards.)

Different Passwords

U3: Different passwords must be used for Harvard and non-Harvard accounts.

Protect Passwords

U2: All passwords and other access credentials must be protected. They must never be stored in plaintext and must not be stored directly in scripts or configuration files.

No Shared Passwords

U1: Users’ passwords and other access credentials must never be shared.

Destroying Records

P6: Destruction of records must be accomplished by means that make it impossible to reconstruct the records.

Transferring Records

P4: Any physical transfer of records must use means that are appropriately secure and such transfers must be tracked to confirm that they actually reached the intended recipient.

Limiting Access

P1: Access must be limited to those persons with valid business reasons to access the records.

Ensure individual user identification

 Server operators must not knowingly set up accounts that will be shared by multiple users unless there is a process by which the individual users can be identified. The use of “sudo” or “runas” meets this how-to.

Run malware detection and endpoint detection and response software

  • Servers owned and managed directly by Havard must run CrowdStrike endpoint detection and response software. 
  • Servers managed via contract with a third-party service for Harvard's use must run applicable malware detection and endpoint detection and response software with up-to-date signature files. 

Application patching

Evaluate, schedule, and apply any missing application security updates in a timely manner.