Level 4

External access

SC1: Servers must not be directly accessible from the Internet or from parts of the internal network where there are user computers, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).

Secure disposal

SB11: Information designated level 3 or 4 must be properly disposed of by securely overwriting the information or physically destroying the media when no longer needed, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).

Reporting breaches

SB10: Server and application operators must promptly inform the appropriate escalation contacts of any possible breaches, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).

Reviewing logs

SB9: The logs must periodically be reviewed for anomalous behavior, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).

Administrative functions

SB8: Administrative functions on servers and applications must be logged, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).

Logging access

SB7: User and administrator access to servers and applications must be logged, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).

Theft or loss

SB6: Confidential information on servers and backup media must be protected against access in the case of physical theft or loss.

Improper access

SB5: Servers must be protected from improper network-based access, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).

Idle sessions

SB3: A mechanism must be used to force re-authentication to user accounts after an idle period, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).

Password guessing

SB2: Servers or applications must implement a mechanism that inhibits password guessing attacks on user accounts if the server or application does its own authentication, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).

Server operators

SA14: People responsible for the operation of servers must have the skills, experience and/or training needed to implement these requirements, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).

Credit Card Transactions

U16: All users handling credit or debit card transactions must comply with University Cash Management requirements.

Pages