Users of administrative accounts on certain enterprise systems must complete the account attestation process.

Administrative Account Attestation for Enterprise SystemsThe annual administrative account attestation process is...

Set application inactivity time-out

Force re-authentication after a defined period of inactivity within the server-side application, where this feature is available.

Configure operational technology devices for secure operation

In addition to the requirements above, install and run Crowdstrike endpoint detection and response client on operational technology devices where technically feasible.

Configure your laptop or desktop for secure operation and storage

Personally owned and managed: Follow the Personal Device Security Guides
Harvard-managed or Harvard-purchased laptops and desktops must run Crowdstrike endpoint detection and response client. For other configuration detail, check with your...

Report location and volumes of identifiable records with full Social Security Numbers annually

When collected for legal requirements: Complete the online form Full SSNs Collected for Legal Requirements for each system or process collecting or storing full SSNs and submit it to the University Information Security office. Contact the Information Security Office at itsec-ec@harvard.edu to request access to the reporting form, as needed.
When collected for business purposes and not a legal requirement:...

Archive selected identifiable records with full Social Security Numbers securely

See www.grs.harvard.edu for retention schedules and Archive transfer instructions. After secure transfer of the selected records is complete, securely dispose of remaining records in your control that are no longer required by law. Note: Records transferred to HUA are restricted for 80 years and then may be released for research use. The repository may elect to redact the pertinent HRCI information on a case-by-case basis prior to release.

Seek an exception to compile and maintain identifiable records with full Social Security Numbers when not required by law

In certain cases, there may be contracted business partners that require full SSN plus identifying information to complete specific transactions for us, but which do not fulfill a legal requirement for using a full SSN. For example, certain insurance providers may still identify policy holders according to a full SSN, and an alternate identifier or truncated SSN would break their processing service. In such cases, the group with that business need should complete an online...

Important Steps for Configuring Active Directory

Logging:

Keep domain controller logs centrally.
Keep security logs from all domain joined servers centrally.
Create and monitor alerts on:
- The use (success or failure) of any domain administrator credentials.
- The use of any local administrator credentials.
- Changes to domain administrator or other sensitive groups in AD.

Cached Credentials:

Use GPO to set cached credentials on servers to the minimum you possibly can (0 or 1 for servers - for desktops, you may find...

Coordinate Harvard authentication with Identity & Access Management (IAM)

Consult the IAM website for authentication protocol options and guides. For additional assistance, please email ithelp@harvard.edu or submit a ServiceNow ticket under the subcategory of Authentication Services: Consulting.

Use External Encrypted Portable Media Storage

Portable storage media, such as approved USB drives, optical and tape media must be encrypted with strong passwords and proper key management in order to store Level 4 information. If you need an approved USB drive, have questions or need help, send an email to ithelp@harvard.edu to request an information security consultation for Harvard-approved external encrypted portable storage media.

Information Security Policy

Harvard University

How To