Level 2

Enforce password complexity

Server operators should implement LDAP, AD, IAM as best practice where possible. Two factor authentication is required for any system handling L3/medium risk data and above.

Ensure application owners are identified to you

Document the name, department, and role of the informed IT liaison (practice manager or service owner), contact information, and the data classification level. This should be stored in a secure local repository (such as Service Now) or a spreadsheet which is stored securely.

Overwrite data or shred the storage media

  • On smartphones, tablets, and encrypted USB thumb drives: enter incorrect passwords until device reformats itself, or select Factory Reset in Settings
  • On personal laptops: remove and shred hard drive or activate full disk encryption using secret key (password) you don't share
  • For Harvard-managed devices: contact local IT Support for pick-up or drop-off of devices so they can remove data and recycle
  • For CD/DVD: Shred at provided shredders or contact local IT Support

Require use of encrypted protocols

Set to require the use of SSL, TLS or other encrypted protocol for email and calendar access. Regardless of device type, if you are considering use of applications that will access or transfer Harvard confidential information and have questions about whether this is appropriate, contact your help desk.

Apply patches promptly

Keep the device’s OS current and apply all OS and application patches in a timely fashion (enable auto update apps if available). See "How to Work With User Devices" checklists for your device type.

Dispose of confidential information suitably

Before deletion or shredding of records, check to ensure that the records are no longer needed, and remember that some records that contain Social Security Numbers (SSNs) or other High Risk Confidential Information may be scheduled as eligible for transfer to Archives. Store an Archive-selected identifiable records containing full SSNs securely; and see the HU Records Management Services for further...

Read more about Dispose of confidential information suitably

Share information carefully

Only share confidential information with those authorized to receive it. Check with the data owner if there is a question.

Use only the confidential information you need for your job

Use only the confidential information that you need for your role. If you change roles, ensure that any access that is no longer required is removed. 

If you move from a job with one security access level to another role with a different level of access, make sure your new level is appropriate for your role. Check with your manager or HR officer for the right level of access.

Highest classification

SA13: Servers storing or processing information belonging to more than one classification must meet the requirements associated with the highest classification, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).