Report location and volumes of identifiable records with full Social Security Numbers annually

When collected for legal requirements: Complete the online form Full SSNs Collected for Legal Requirements for each system or process collecting or storing full SSNs and submit it to the University Information Security office. Contact the Information Security Office at itsec-ec@harvard.edu to request access to the reporting form, as needed.
When collected for business purposes and not a legal requirement: Submit Read more about Report location and volumes of identifiable records with full Social Security Numbers annually

Archive selected identifiable records with full Social Security Numbers securely

See www.grs.harvard.edu for retention schedules and Archive transfer instructions. After secure transfer of the selected records is complete, securely dispose of remaining records in your control that are no longer required by law. Note: Records transferred to HUA are restricted for 80 years and then may be released for research use. The repository may elect to redact the pertinent HRCI information on a case-by-case basis prior to release.

Seek an exception to compile and maintain identifiable records with full Social Security Numbers when not required by law

In certain cases, there may be contracted business partners that require full SSN plus identifying information to complete specific transactions for us, but which do not fulfill a legal requirement for using a full SSN. For example, certain insurance providers may still identify policy holders according to a full SSN, and an alternate identifier or truncated SSN would break their processing service. In such cases, the group with that business need should complete an online Read more about Seek an exception to compile and maintain identifiable records with full Social Security Numbers when not required by law

Important Steps for Configuring Active Directory

Logging:

Keep domain controller logs centrally.
Keep security logs from all domain joined servers centrally.
Create and monitor alerts on:
- The use (success or failure) of any domain administrator credentials.
- The use of any local administrator credentials.
- Changes to domain administrator or other sensitive groups in AD.

Cached Credentials:

Use GPO to set cached credentials on servers to the minimum you possibly can (0 or 1 for servers - for desktops, you may find something like 5 is most appropriate Read more about Important Steps for Configuring Active Directory

Coordinate Harvard authentication with Identity & Access Management (IAM)

Consult the IAM website for authentication protocol options and guides. For additional assistance, please email ithelp@harvard.edu or submit a ServiceNow ticket under the subcategory of Authentication Services: Consulting.

Use External Encrypted Portable Media Storage

Portable storage media, such as approved USB drives, optical and tape media must be encrypted with strong passwords and proper key management in order to store Level 4 information. If you need an approved USB drive, have questions or need help, send an email to ithelp@harvard.edu to request an information security consultation for Harvard-approved external encrypted portable storage media.

Use a secure file transfer method

Send highly sensitive or significant amounts of Level 3 confidential information and any Level 4 confidential information by a secure file transfer method. View detailed instructions for using Accellion secure file transfer.

Use Identity Finder

Identity Finder is a tool which users can run them selves to identify any Level 4 High Risk Confidential Information.

Detailed Identity Finder instructions for PC users.

Detailed Identity Finder instructions for Mac users.

Use scanning software to ensure no HRCI Level 4

Use software (e.g. Identity Finder) to scan systems for HRCI and contact your local IT help desk to obtain such software.

Connect servers individually to network devices

Servers on the subnet may be individually connected to network devices that are configured to block all server-to-server communications except where communication is specifically required.

Information Security Policy

Harvard University

How To