Collecting Confidential Information

U17: Only the minimum information reasonably necessary to accomplish the intended business purpose should be obtained

Set application inactivity time-out

Force re-authentication after a defined period of inactivity within the server-side application, where this feature is available.

Configure your laptop or desktop for secure operation and storage

Personally owned and managed: Follow the Personal Device Security Guides
Harvard-managed or Harvard-purchased laptops and desktops must run Crowdstrike endpoint detection and response client. For other configuration detail, check with your...

Important Steps for Configuring Active Directory

Logging:

Keep domain controller logs centrally.
Keep security logs from all domain joined servers centrally.
Create and monitor alerts on:
- The use (success or failure) of any domain administrator credentials.
- The use of any local administrator credentials.
- Changes to domain administrator or other sensitive groups in AD.

Cached Credentials:

Use GPO to set cached credentials on servers to the minimum you possibly can (0 or 1 for servers - for desktops, you may find...

Coordinate Harvard authentication with Identity & Access Management (IAM)

Consult the IAM website for authentication protocol options and guides. For additional assistance, please email ithelp@harvard.edu or submit a ServiceNow ticket under the subcategory of Authentication Services: Consulting.

Central Authentication Services

SB12: Servers or applications classified as medium risk or higher, or handling data classified as L3 or higher, whether managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS), must use a centrally-managed Harvard authentication system that requires more than one factor for authentication where technically feasible, e.g. HarvardKey or Harvard VPN, or comparable non-Harvard multi-factor authentication system (supported/approved by Harvard).

Use a secure file transfer method

Send files containing Level 3 or Level 4 confidential information using a secure file transfer method.

For more information on the new Harvard Secure File Transfer powered by Kiteworks, see the Knowledge Base Articles.

Use Identity Finder

Identity Finder is a tool which users can run them selves to identify any Level 4 High Risk Confidential Information.

Detailed Identity Finder instructions for PC users.

Detailed Identity Finder instructions for Mac users.

Ensure approved contract language

Contracts covering the use of Level 3 or 4 confidential information must include confidentiality language approved by the Office of the General Counsel. The Personal Data Protection contract rider is acceptable to append to an existing contract and may be found at the OGC website.

Ensure contracts in place for confidential information

Massachusetts 201CMR requires that written contracts be enacted with vendors managing Level 4 personally identifiable information. Review contract model documents at the Office of the General Counsel website.

Coordinate to ensure safe faxing

Contact the recipient in advance to ensure that the Level 3 or 4 confidential information is removed from the fax machine promptly. Do not fax to an unattended machine or to one in an open area.

Transfer records securely and confirm receipt

Options to meet this requirement:
In every case below, use a sealed envelope.

When you can or when the risk dictates [sensitivity, number of records], choose hand delivery or ensure tracking/delivery confirmation. Ensure that you put in a mailbox or FedEx box as opposed to leaving in a basket in an open area for someone else to do so.

-Hand deliver (make sure you hand it to the intended recipient )
-University mail (up to Level 3)
-US Mail (use tracking/delivery confirmation where practical)
-FedEX/UPS (use tracking/delivery...

Protect paper records by locking

For Level 2-3, use a locked file cabinet which contains records when not in use.

Limit access to confidential information in paper

Consult the business owner for current and accurate identification of those approved for access to confidential information in paper form. Log access to Level 4 information.

Encryption should be implemented where feasible

Encryption should be implemented where technically and economically feasible.

Information Security Policy

Harvard University

Level 3