Level 3

Remote login must only permit the use of encrypted communications

Remote login to all servers must only permit the use of encrypted communications such as ssh. Windows servers must enforce a minimum of 128-bit encryption for Terminal Services and Remote Desktop communication. All servers running SSH must use a minimum of protocol version 2. Use of VPN is advised where available.

Enforce password complexity

Server operators should implement LDAP, AD, IAM as best practice where possible. Two factor authentication is required for any system handling L3/medium risk data and above.

Ensure application owners are identified to you

Document the name, department, and role of the informed IT liaison (practice manager or service owner), contact information, and the data classification level. This should be stored in a secure local repository (such as Service Now) or a spreadsheet which is stored securely.

Overwrite data or shred the storage media

  • On smartphones, tablets, and encrypted USB thumb drives: enter incorrect passwords until device reformats itself, or select Factory Reset in Settings
  • On personally-owned laptops: remove and shred hard drive or activate full disk encryption using secret key (password) you don't share
  • For Harvard-purchased or Harvard-managed devices: contact local IT Support for pick-up or drop-off of devices so they can remove data and recycle
  • For CD/DVD: Shred at provided shredders or contact local IT Support

Require use of encrypted protocols

Set to require the use of SSL, TLS or other encrypted protocol for email and calendar access. Regardless of device type, if you are considering use of applications that will access or transfer Harvard confidential information and have questions about whether this is appropriate, contact your help desk.

Apply patches promptly

Keep the device’s OS current and apply all OS and application patches in a timely fashion (enable auto update apps if available). See "How to Work With User Devices" checklists for your device type.