Level 4

Report location and volumes of identifiable records with full Social Security Numbers annually

 

When collected for legal requirements: Complete the online form Full SSNs Collected for Legal Requirements for each system or process collecting or storing full SSNs and submit it to the University Information Security office. Contact the Information Security Office at itsec-ec@harvard.edu to request access to the reporting form, as needed.
When collected for business purposes and not a legal requirement:...

Read more about Report location and volumes of identifiable records with full Social Security Numbers annually

Report location and volumes of identifiable records with full Social Security Numbers annually

SSN4: The Harvard “business owner” of any records containing identifiable records with full SSNs, whether electronic or paper, stored by the Harvard unit or by a vendor, must annually report that there are such records and describe the system or systems on which they are maintained, the retention schedule, the location of the system(s), and the approximate number of such records containing full SSNs.

 

Archive selected identifiable records with full Social Security Numbers securely

See www.grs.harvard.edu for retention schedules and Archive transfer instructions. After secure transfer of the selected records is complete, securely dispose of remaining records in your control that are no longer required by law. Note: Records transferred to HUA are restricted for 80 years and then may be released for research use. The repository may elect to redact the pertinent HRCI information on a case-by-case basis prior to release.

Dispose of or archive identifiable records with full Social Security Numbers securely when retention no longer required by law

SSN3: When no longer required by law or for the business purpose approved through the exception process, electronic or printed identifiable records containing full SSNs and not subject to a legal hold must be properly disposed of so that the information cannot be retrieved or reassembled. In cases where selected records are identified as having archival value, such as stated in the General Records Schedule, those records are to be transferred securely to the Harvard University Archives (HUA), school-specific archives, or appropriate Harvard specialty archives and then securely removed from...

Read more about Dispose of or archive identifiable records with full Social Security Numbers securely when retention no longer required by law

Seek an exception to compile and maintain identifiable records with full Social Security Numbers when not required by law

In certain cases, there may be contracted business partners that require full SSN plus identifying information to complete specific transactions for us, but which do not fulfill a legal requirement for using a full SSN. For example, certain insurance providers may still identify policy holders according to a full SSN, and an alternate identifier or truncated SSN would break their processing service. In such cases, the group with that business need should complete an online...

Read more about Seek an exception to compile and maintain identifiable records with full Social Security Numbers when not required by law

Compile and maintain identifiable records with Social Security Numbers only when required by law

SSN2: New collection processes or new research grants effective on or after July 1, 2017: Identifiable records containing full SSNs may be compiled and maintained only to comply with a specific legal requirement. Full SSNs plus identifiable information may only be used or printed in documents where it is legally required. Identifiable records with full SSNs may not be compiled or maintained if there is no legal requirement for that specific data. For example, maintaining full SSNs only as a tool for differentiating records does not satisfy a legal requirement; the same purpose could be...

Read more about Compile and maintain identifiable records with Social Security Numbers only when required by law

Important Steps for Configuring Active Directory

 

Logging:

  • Keep domain controller logs centrally.
  • Keep security logs from all domain joined servers centrally.
  • Create and monitor alerts on:
    • The use (success or failure) of any domain administrator credentials.
    • The use of any local administrator credentials.
    • Changes to domain administrator or other sensitive groups in AD.

Cached Credentials:

  • Use GPO to set cached credentials on servers to the minimum you possibly can (0 or 1 for servers - for desktops, you may find...
Read more about Important Steps for Configuring Active Directory

Central Authentication Services

SB12: Servers or applications classified as medium risk or higher, or handling data classified as L3 or higher, whether managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS), must use a centrally-managed Harvard authentication system that requires more than one factor for authentication where technically feasible, e.g. HarvardKey or Harvard VPN, or comparable non-Harvard multi-factor authentication system (supported/approved by Harvard). 

Use External Encrypted Portable Media Storage

Portable storage media, such as approved USB drives, optical and tape media must be encrypted with strong passwords and proper key management in order to store Level 4 information. If you need an approved USB drive, have questions or need help, send an email to ithelp@harvard.edu to request an information security consultation for Harvard-approved external encrypted portable storage media.

Pages