Use software (e.g. Splunk) to periodically review the server and application logs to see if the system is under attack (e.g., many bad password guesses) and that the users are following documented practices (e.g., not logging as root).
User and administrator access to servers and applications must be logged, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use.
It is important that anyone who performs administrative responsibilities on these systems have sufficient technical knowledge, via experience and/or training, to be able to implement these requirements and recognize when they need to seek help.
Servers storing or processing information belonging to more than one classification must meet the requirements associated with the highest classification. If you aren't able to identify whether or not a server may have HRCI, apply the level 4 controls.
Do not store Level 3 information on unencrypted devices. For more information on how to ensure that your personal devices are encrypted, see Personal Device Security Guides.
SB11: Information designated level 3 or 4 must be properly disposed of by securely overwriting the information or physically destroying the media when no longer needed, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).