Level 2

Choose a strong and memorable password

1. No common names or dictionary words. (A multi word phrase with no spaces is acceptable).
2. Include at least one character from at least 3 of the following:
Include one uppercase letter
Include one lowercase letter
Include one number
Include one special character
3. Use one of these three length and additional requirements:
10 characters minimum
8 characters minimum and annual password reset/expiration
8 characters minimum and a second authentication factor

Use a 4-digit PIN

For smartphones and tablets, a 4-8 digit PIN is acceptable as long as you also configure the device to erase itself after 10 bad password guesses. 

For Exchange users, this is a default and the user must set the PIN. See your device manual for instructions for those not using Exchange.

Use a password management application

Use a password management application like 1Password, LastPass, KeePass or iCloud Keychain that generates, stores and protects long, random, unique passwords

Use a departmental file share

Eliminate the need for account sharing by using your departmental file share for documents that need to be shared or accessed by others

Configure Devices

All devices must be configured for secure storage, transport, and disposal of confidential information.

Server-application communication

SA4: Communications between servers or applications must be protected, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).

Server communication

SA3: Communications between servers or applications and client machines must be protected, whether these servers are managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).

Complex passwords

SA2: Servers and applications that manage passwords must force the setting of a complex password. This must meet the following requirements where technically feasible (consult the Security office if the following requirements are not technically feasible):... Read more about Complex passwords

Application owner and classification level

SA1: Server operators must be able to identify a responsible party, known as the business application owner, for each application on the server and the data classification level of the information that the application stores and processes.

Pages