Level 2

Share information carefully

Only share confidential information with those authorized to receive it. Check with the data owner if there is a question.

Use only the confidential information you need for your job

Use only the confidential information that you need for your role. If you change roles, ensure that any access that is no longer required is removed. 

If you move from a job with one security access level to another role with a different level of access, make sure your new level is appropriate for your role. Check with your manager or HR officer for the right level of access.

Highest classification

SA13: Servers storing or processing information belonging to more than one classification must meet the requirements associated with the highest classification, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).

No shared accounts

SA11: Server operators must not knowingly permit shared user account credentials, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).

Malware detection and endpoint detection and response

SA10: All servers must run malware detection and endpoint detection and response software with up-to-date signature files, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).

Current patches

SA9: Operating system and application patches must be current and supported by the vendor or Open Source project, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).

Password Management

SA8: Mechanisms for users to set or change passwords must be secure. Systems that manage passwords must be configured securely. Storage and management of passwords requires L4 security.

Stored passwords

SA7: Systems that manage user passwords and other access credentials must be designed in such a way that the passwords are not retrievable by administrators.

Appropriate user access

SA6: Users must only be permitted to access a server or application after their current business need for access has been established, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).

Default passwords and generic accounts

SA5: Default passwords must be changed and generic accounts must be disabled or removed before the server or application is put into use, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).          

Device Management Systems

D7: Anyone deploying or using a mobile device management system other than Microsoft ActiveSync must contact the University Security Office.

Reporting Lost Device

D6: Any actual or suspected loss, theft, or improper use of a device storing confidential information must be reported promptly.

Disposing of Devices

D5: The information stored on the device must be protected against access when the device is disposed of.

Configuring Applications

D4: Client applications on the device which might be used to access or transfer confidential information must be configured to protect their communications.

Applying Patches

D3: Operating system and application patches must be applied promptly.

Pages