Ensure contracts in place for confidential information

Massachusetts 201CMR requires that written contracts be enacted with vendors managing Level 4 personally identifiable information. Review contract model documents at the Office of the General Counsel website.

Coordinate to ensure safe faxing

Contact the recipient in advance to ensure that the Level 3 or 4 confidential information is removed from the fax machine promptly. Do not fax to an unattended machine or to one in an open area.

Transfer records securely and confirm receipt

Options to meet this requirement:
In every case below, use a sealed envelope.

When you can or when the risk dictates [sensitivity, number of records], choose hand delivery or ensure tracking/delivery confirmation. Ensure that you put in a mailbox or FedEx box as opposed to leaving in a basket in an open area for someone else to do so.

-Hand deliver (make sure you hand it to the intended recipient )
-University mail (up to Level 3)
-US Mail (use tracking/delivery confirmation where practical)
-FedEX/UPS (use tracking/delivery...

Protect paper records by locking

For Level 2-3, use a locked file cabinet which contains records when not in use.

Limit access to confidential information in paper

Consult the business owner for current and accurate identification of those approved for access to confidential information in paper form. Log access to Level 4 information.

Encryption should be implemented where feasible

Encryption should be implemented where technically and economically feasible.

Remote login must only permit the use of encrypted communications

Remote login to all servers must only permit the use of encrypted communications such as ssh. Windows servers must enforce a minimum of 128-bit encryption for Terminal Services and Remote Desktop communication. All servers running SSH must use a minimum of protocol version 2. Use 2-factor VPN to connect through the firewall first.

Windows file servers running SMBv3 must only permit use of encryption

Windows file servers running SMBv3 must only permit use of encryption.
https://docs.microsoft.com/en-us/windows-server/storage/file-server/smb-security

LDAP servers must only permit the use of SSL-protected LDAP connections

Disable the non-secure port.

Servers must only permit use of SSL-protected SQL communications

For database communication, either use SSL or any other available option to encrypt data over the network.

Email servers must only permit use of SSL-protected POP, IMAP or Exchange

https://www.vircom.com/blog/top-10-tips-to-secure-your-email-server/

Web servers must only permit use of https

How to set up an HTTPS Service in
IIS - https://support.microsoft.com/kb/324069
Apache - https://httpd.apache.org/docs/current/ssl/ssl_howto.html

Vendor contracts

Use the University Contract Rider to ensure vendor protection for confidential information. Refer to the Office of the General Counsel Model Documents for examples of approved consulting agreement, software agreement, and credit card merchant agreements. For complex or unusual agreements which may not be appropriately addressed through existing...

Securely overwrite or destroy physical media

Securely overwrite disk drives in servers at a block level or physically destroy when the server is removed from service or disk drives are permanently removed from servers.

Report possible breach, loss or theft of confidential information

Follow instructions posted on the Information Security Website to start the incident reporting process. The University CISO and the OGC will be informed as appropriate of any known or suspected breach of a server containing confidential information. In addition, the University maintains a whistleblowing policy. The policy is intended to encourage all members of the Harvard community to report suspected violations of law or Harvard...

Information Security Policy

Harvard University

Level 3