Logging:

• Keep domain controller logs centrally.
• Keep security logs from all domain joined servers centrally.
• Create and monitor alerts on:
  • The use (success or failure) of any domain administrator credentials.
  • The use of any local administrator credentials.
  • Changes to domain administrator or other sensitive groups in AD.

Cached Credentials:

• Use GPO to set cached credentials on servers to the minimum you possibly can (0 or 1 for servers - for desktops, you may find...

Consult the IAM website for authentication protocol options and guides. For additional assistance, please email ithelp@harvard.edu or submit a ServiceNow ticket under the subcategory of Authentication Services: Consulting.

Send highly sensitive or significant amounts of Level 3 confidential information and any Level 4 confidential information by a secure file transfer method.

Secure File Transfer powered by Accellion Kiteworks is available by following the links below.

For more information on the new Harvard Secure File Transfer powered by Kiteworks, visit our Service Catalog and our ...

Identity Finder is a tool which users can run them selves to identify any Level 4 High Risk Confidential Information.

Detailed Identity Finder instructions for PC users.

Detailed Identity Finder instructions for Mac users.

Contracts covering the use of Level 3 or 4 confidential information must include confidentiality language approved by the Office of the General Counsel. The Personal Data Protection contract rider is acceptable to append to an existing contract and may be found at the OGC website. 

Massachusetts 201CMR requires that written contracts be enacted with vendors managing Level 4 personally identifiable information. Review contract model documents at the Office of the General Counsel website.  

Shred papers, CDs, DVDs, etc. with confidential information using Harvard's approved shredding vendor (Data Shredder) or a crosscut shredder. DataShredder also provides hard drive destruction service. The Harvard agreement provides prescheduled pickup service for bins and office consoles and a onetime purge service. A certificate of destruction is always provided for services under contract.

For more information on the University Master Service Agreement please refer to:

...

Contact the recipient in advance to ensure that the Level 3 or 4 confidential information is removed from the fax machine promptly. Do not fax to an unattended machine or to one in an open area.

Options to meet this requirement:
In every case below, use a sealed envelope.

When you can or when the risk dictates [sensitivity, number of records], choose hand delivery or ensure tracking/delivery confirmation. Ensure that you put in a mailbox or FedEx box as opposed to leaving in a basket in an open area for someone else to do so.

-Hand deliver (make sure you hand it to the intended recipient )
-University mail (up to Level 3)
-US Mail (use tracking/delivery confirmation where practical)
-FedEX/UPS (use tracking/delivery...

For Level 2-3, use a locked file cabinet which contains records when not in use.

Consult the business owner for current and accurate identification of those approved for access to confidential information in paper form. Log access to Level 4 information.

 If not using one of the above servers then encryption should be implemented where technically and economically feasible.

Remote login to all servers must only permit the use of encrypted communications such as ssh. Windows servers must enforce a minimum of 128-bit encryption for Terminal Services and Remote Desktop communication. All servers running SSH must use a minimum of protocol version 2. Use of VPN is advised where available

Windows file servers running SMBv3 must only permit use of encryption. http://blogs.msdn.com/b/openspecification/archive/2012/06/08/encryption-in-smb3.aspx