Harvard University Information Security | HARVARD.EDU

Level 2

Windows file servers running SMBv3 must only permit use of encryption

Windows file servers running SMBv3 must only permit use of encryption.

More information.

LDAP servers must only permit the use of SSL-protected LDAP connections

Disable the non-secure port.

Servers must only permit use of SSL-protected SQL communications

For database communication, either use SSL or any other available option to encrypt data over the network

Email servers must only permit use of SSL-protected POP, IMAP or Exchange

More information.

Web servers must only permit use of https

How to set up an HTTPS Service in
IIS - https://support.microsoft.com/kb/324069
Apache - https://httpd.apache.org/docs/current/ssl/ssl_howto.html

Enforce password complexity in Linux

More information on Linux

Enforce password complexity for Windows servers

More information on Windows

Enforce password complexity

Server operators should implement LDAP, AD, IAM as best practice where possible. Two factor authentication is required for any system handling L3/medium risk data and above.

Ensure application owners are identified to you

Document the name, department, and role of the informed IT liaison (practice manager or service owner), contact information, and the data classification level. This should be stored in a secure local repository (such as Service Now) or a spreadsheet which is stored securely.

Overwrite data or shred the storage media

On smartphones, tablets, and encrypted USB thumb drives: enter incorrect passwords until device reformats itself, or select Factory Reset in Settings
On personally-owned laptops: remove and shred hard drive or activate full disk encryption using secret key (password) you don't share
For Harvard-purchased or Harvard-managed devices: contact local IT Support for pick-up or drop-off of devices so they can remove data and recycle
For CD/DVD: Shred at provided shredders or contact local IT Support

Require use of encrypted protocols

Set to require the use of SSL, TLS or other encrypted protocol for email and calendar access. Regardless of device type, if you are considering use of applications that will access or transfer Harvard confidential information and have questions about whether this is appropriate, contact your help desk.

Apply patches promptly

Keep the device’s OS current and apply all OS and application patches in a timely fashion (enable auto update apps if available). See "How to Work With User Devices" checklists for your device type.

University Cash Management requirements

http://otm.finance.harvard.edu/credit-card-merchant-accounts

Acknowledge a confidentiality agreement and take training

University staff members who are authorized to use confidential information must annually acknowledge the University Confidentiality Agreement (found in Peoplesoft-->Self-Service-->My Preferences and Agreements).

University staff members who are authorized to use confidential information must annually complete ...

Report possible loss, theft, or compromise of confidential information

https://security.harvard.edu/report-incident

Information Security Policy

Harvard University