Server operators must not knowingly set up accounts that will be shared by multiple users unless there is a process by which the individual users can be identified. The use of “sudo” or “runas” meets this how-to.

• Servers owned and managed directly by Havard must run CrowdStrike endpoint detection and response software. 
• Servers managed via contract with a third-party service for Harvard's use must run applicable malware detection and endpoint detection and response software with up-to-date signature files. 

Evaluate, schedule, and apply any missing application security updates in a timely manner.

Evaluate, schedule, and apply any missing security updates within 30 days. Apply patches immediately and without delay for critical vulnerabilities enabling remote, unauthenticated administrative access.

 Initial/temporary passwords or secrets must be securely transferred to the user (email to a known good address without the username or address of record, or phone call).  A phone call is the preferred method.

When creating passwords, administrators must ensure that they are set to be changed after first use.

Store passwords encrypted and log all administrator access to password files; for ActiveDirectory, use whole disk encryption on domain controllers that are not in a secure location.

Use a password vault such as Cyber Ark for access to encryption key.

Store passwords as seeded/salted hashes (for example, by using bcrypt). On Windows reversible encryption must be disabled. More information.

User must agree annually (via confidentiality reminder) to only access the specific information they have a business reason to access.

Make use of user groupings to determine authorization (for example, via groups in ActiveDirectory or LDAP or by using AuthZProxy or Grouper).

Send a list of active accounts to the business owner monthly to review; ideally this will be done via a trackable mechanism such as Service Now.

Disable account access if user leaves University or changes jobs such that they no longer have a business need to access the information; the best way to do this is by using the central authentication service.