Level 4

Coordinating Faxes

P5: Level 3 or 4 records can be faxed to a non-public fax machine only if arrangements have been made so that the intended recipient will take the copies off the machine immediately upon receipt.

Transferring Records

P4: Any physical transfer of records must use means that are appropriately secure and such transfers must be tracked to confirm that they actually reached the intended recipient.

Logging Access

P3: All access to records containing Level 4 data other than access for ordinary business purposes must be logged.

Limiting Access

P1: Access must be limited to those persons with valid business reasons to access the records.

Ensure individual user identification

 Server operators must not knowingly set up accounts that will be shared by multiple users unless there is a process by which the individual users can be identified. The use of “sudo” or “runas” meets this how-to.

Run malware detection and endpoint detection and response software

  • Servers owned and managed directly by Havard must run CrowdStrike endpoint detection and response software. 
  • Servers managed via contract with a third-party service for Harvard's use must run applicable malware detection and endpoint detection and response software with up-to-date signature files. 

Application patching

Evaluate, schedule, and apply any missing application security updates in a timely manner.

Schedule patches appropriately

Evaluate, schedule, and apply any missing security updates within 30 days. Apply patches immediately and without delay for critical vulnerabilities enabling remote, unauthenticated administrative access.

Transfer temporary passwords securely

 Initial/temporary passwords or secrets must be securely transferred to the user (email to a known good address without the username or address of record, or phone call).  A phone call is the preferred method.

Require password changes

When creating passwords, administrators must ensure that they are set to be changed after first use.

Store passwords encrypted

Store passwords encrypted and log all administrator access to password files; for ActiveDirectory, use whole disk encryption on domain controllers that are not in a secure location.