Before deletion or shredding of records, check to ensure that the records are no longer needed, and remember that some records that contain Social Security Numbers (SSNs) or other High Risk Confidential Information may be scheduled as eligible for transfer to Archives. Store any University Archives-selected identifiable records containing full SSNs securely; and see the HU...
Use only the confidential information that you need for your role. If you change roles, ensure that any access that is no longer required is removed.
If you move from a job with one security access level to another role with a different level of access, make sure your new level is appropriate for your role. Check with your manager or HR officer for the right level of access.
SA13: Servers storing or processing information belonging to more than one classification must meet the requirements associated with the highest classification, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).
SA11: Server operators must not knowingly permit shared user account credentials, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).
SA10: All servers must run malware detection and endpoint detection and response software with up-to-date signature files, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).
SA9: Operating system and application patches must be current and supported by the vendor or Open Source project, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).
SA8: Mechanisms for users to set or change passwords must be secure. Systems that manage passwords must be configured securely. Storage and management of passwords requires L4 security.
SA7: Systems that manage user passwords and other access credentials must be designed in such a way that the passwords are not retrievable by administrators.
SA6: Users must only be permitted to access a server or application after their current business need for access has been established, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).
SA5: Default passwords must be changed and generic accounts must be disabled or removed before the server or application is put into use, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).
