Level 4

Compile and maintain identifiable records with Social Security Numbers only when required by law

SSN2: New collection processes or new research grants effective on or after July 1, 2017: Identifiable records containing full SSNs may be compiled and maintained only to comply with a specific legal requirement. Full SSNs plus identifiable information may only be used or printed in documents where it is legally required. Identifiable records with full SSNs may not be compiled or maintained if there is no legal requirement for that specific data. For example, maintaining full SSNs only as a tool for differentiating records does not satisfy a legal requirement; the same purpose could be...

Read more about Compile and maintain identifiable records with Social Security Numbers only when required by law

Important Steps for Configuring Active Directory

 

Logging:

  • Keep domain controller logs centrally.
  • Keep security logs from all domain joined servers centrally.
  • Create and monitor alerts on:
    • The use (success or failure) of any domain administrator credentials.
    • The use of any local administrator credentials.
    • Changes to domain administrator or other sensitive groups in AD.

Cached Credentials:

  • Use GPO to set cached credentials on servers to the minimum you possibly can (0 or 1 for servers - for desktops, you may find...
Read more about Important Steps for Configuring Active Directory

Use External Encrypted Portable Media Storage

Portable storage media, such as approved USB drives, optical and tape media must be encrypted with strong passwords and proper key management in order to store Level 4 information. If you need an approved USB drive, have questions or need help, send an email to ithelp@harvard.edu to request an information security consultation for Harvard-approved external encrypted portable storage media.

Connect servers individually to network devices

Servers on the subnet may be individually connected to network devices that are configured to block all server-to-server communications except where communication is specifically required.

Configure host based firewalls

Servers may be configured with host-based firewalls that are configured to block all server-to-server communications except where communication is specifically required.

Protecting Servers

SC9: Servers on the same subnet must be protected against attack from each other, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).

Coordinate to ensure safe faxing

Contact the recipient in advance to ensure that the Level 3 or 4 confidential information is removed from the fax machine promptly. Do not fax to an unattended machine or to one in an open area.

Transfer records securely and confirm receipt

Options to meet this requirement:
In every case below, use a sealed envelope.

When you can or when the risk dictates [sensitivity, number of records], choose hand delivery or ensure tracking/delivery confirmation. Ensure that you put in a mailbox or FedEx box as opposed to leaving in a basket in an open area for someone else to do so.

-Hand deliver (make sure you hand it to the intended recipient )
-University mail (up to Level 3)
-US Mail (use tracking/delivery confirmation where practical)
-FedEX/UPS (use tracking/delivery...

Read more about Transfer records securely and confirm receipt

Pages