Device Management Systems

D7: Anyone deploying or using a mobile device management system other than Microsoft ActiveSync must contact the University Security Office.

Reporting Lost Device

D6: Any actual or suspected loss, theft, or improper use of a device storing confidential information must be reported promptly.

Disposing of Devices

D5: The information stored on the device must be protected against access when the device is disposed of.

Configuring Applications

D4: Client applications on the device which might be used to access or transfer confidential information must be configured to protect their communications.

Applying Patches

D3: Operating system and application patches must be applied promptly.

Protecting Information on Devices against Loss, Theft, or Reuse

D2: The information stored on the device must be protected against access if the device is lost, stolen, or recycled/reissued to another user. All mobile devices (laptops, mobile phones, etc.) and workstations that may be used to store or access Harvard information, including accessing Harvard email, must be securely configured, including encryption of data stored on the device, where this feature is supported.

Configuring Devices

Note: Enforcement of configurations for personally-managed devices will be phased in, beginning with alerts of non-compliance and grace periods to resolve detected gaps.
D1: All devices connecting to or installed on a non-guest Harvard network or authenticating to Harvard applications must be configured for secure operation, including non-default unique passwords/credentials that limit access to authorized individuals and services, proper registration of the device on the network, current and supported operating system (firmware and software), regular updates and...

Change your password if compromised

If you believe your password has been compromised or otherwise improperly accessed, change your password. Depending on your department policy, you might have access to the departmental file share or Sharepoint. Contact your local IT support person or your manager to obtain instructions on the recommended local practice.

Contact University Information Security Office

Contact ithelp@harvard.edu and request a security consultation.

Use delegates and permissions

Eliminate the need for account sharing by using delegates and permissions for email accounts that might need to be shared.

See Managing Outlook Mail and Calendar

See Managing Google Mail

Choose a strong and memorable password

1. No common names or dictionary words. (A multi word phrase with no spaces is acceptable).
2. Include at least one character from at least 3 of the following:
Include one uppercase letter
Include one lowercase...

Use a 4-digit PIN

For smartphones and tablets, a 4-8 digit PIN is acceptable as long as you also configure the device to erase itself after 10 bad password guesses.

For Exchange users, this is a default and the user must set the PIN. See your device manual for instructions for those not using Exchange.

Configure your mobile computing device for secure operation and storage

See "Personal Device Security Guides" for your device type. Install mobile applications only from official app stores.

Treat passwords like HRCI

If you must write your password down, treat and protect it like Level 4/High Risk Confidential Information.

Review all Data Classification levels.

Use a password management application

Use a password management application like 1Password, LastPass, KeePass or iCloud Keychain that generates, stores and protects long, random, unique passwords

Information Security Policy

Harvard University

Level 3