SB10: Server and application operators must promptly inform the appropriate escalation contacts of any possible breaches, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).

SB9: The logs must periodically be reviewed for anomalous behavior, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).

SB8: Administrative functions on servers and applications must be logged, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).

SB7: User and administrator access to servers and applications must be logged, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).

SB6: Confidential information on servers and backup media must be protected against access in the case of physical theft or loss.

SB5: Servers must be protected from improper network-based access, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).

SB3: A mechanism must be used to force re-authentication to user accounts after an idle period, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).

SB2: Servers or applications must implement a mechanism that inhibits password guessing attacks on user accounts if the server or application does its own authentication, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).

SA14: People responsible for the operation of servers must have the skills, experience and/or training needed to implement these requirements, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).

U16: All users handling credit or debit card transactions must comply with University Cash Management requirements.

U15: All users of confidential Information must both acknowledge a confidentiality agreement and be appropriately trained. Information Security Awareness training for staff is available and required.

U14: Any actual or suspected loss, theft, or improper use of or access to confidential information must be reported promptly.

U13: Confidential information in any form must be appropriately disposed of when it is no longer needed.

U12: Confidential information in any form must be appropriately protected.

U11: Information designated Level 4 or higher must not be stored on user computing devices, including portable computing devices such as laptops, smartphones, or tablets. Level 4 information may be stored on external encrypted portable storage media.