Configure vulnerability scanning software appropriately

Configure Tenable to scan servers every 30 days.

Install vulnerability scanning software appropriately

Install Tenable on all servers

Handle Security Logs Appropriately

Logs should be stored within a central log server or log storage solution provided by the IaaS/SaaS provider....

Manage Access

Refer to the university ...

Log Retention

SC10: Logs required by the Harvard Information Security Policy must be retained for a minimum of 90 days, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's...

Users of administrative accounts on certain enterprise systems must complete the account attestation process.

Administrative Account Attestation for Enterprise SystemsThe annual administrative account attestation process is...

Collecting Confidential Information

U17: Only the minimum information reasonably necessary to accomplish the intended business purpose should be obtained

Set application inactivity time-out

Force re-authentication after a defined period of inactivity within the server-side application, where this feature is available.

Configure your laptop or desktop for secure operation and storage

Personally owned and managed: Follow the Personal Device Security Guides
Harvard-managed or Harvard-purchased laptops and desktops must run Crowdstrike endpoint detection and response client. For other configuration detail, check with your...

Important Steps for Configuring Active Directory

Logging:

Keep domain controller logs centrally.
Keep security logs from all domain joined servers centrally.
Create and monitor alerts on:
- The use (success or failure) of any domain administrator credentials.
- The use of any local administrator credentials.
- Changes to domain administrator or other sensitive groups in AD.

Cached Credentials:

Use GPO to set cached credentials on servers to the minimum you possibly can (0 or 1 for servers - for desktops, you may find...

Coordinate Harvard authentication with Identity & Access Management (IAM)

Consult the IAM website for authentication protocol options and guides. For additional assistance, please email ithelp@harvard.edu or submit a ServiceNow ticket under the subcategory of Authentication Services: Consulting.

Central Authentication Services

SB12. Servers or applications, whether managed directly by Harvard or via contract with a third-party service provider for Harvard's use (...

Use a secure file transfer method

Send files containing Level 3 or Level 4 confidential information using a secure file transfer method.

For more information on the new Harvard Secure File Transfer powered by Kiteworks, see the Knowledge Base Articles.

Use Identity Finder

Identity Finder is tool for system administrators to locate HRCI Level 4 information on the systems they manage.

Detailed Identity Finder instructions for PC users.

Detailed Identity Finder instructions for Mac users.

Ensure approved contract language

Contracts covering the use of Level 3 or 4 confidential information must include confidentiality language approved by the Office of the General Counsel. The Personal Data Protection contract rider is acceptable to append to an existing contract and may be found at the OGC website.

Information Security Policy

Harvard University

Level 3