Work with Confidential Information

Use External Encrypted Portable Media Storage

Portable storage media, such as approved USB drives, optical and tape media must be encrypted with strong passwords and proper key management in order to store Level 4 information. If you need an approved USB drive, have questions or need help, send an email to ithelp@harvard.edu to request an information security consultation for Harvard-approved external encrypted portable storage media.

Permit only competent operation of servers

 It is important that anyone who performs administrative responsibilities on these systems have sufficient technical knowledge, via experience and/or training, to be able to implement these requirements and recognize when they need to seek help.

Servers must meet the most stringent requirement

Servers storing or processing information belonging to more than one classification must meet the requirements associated with the highest classification. If you aren't able to identify whether or not a server may have HRCI, apply the level 4 controls.

Level 3 On Systems

Use or store Level 3 or higher information only on protected servers or services

Level 3 on encrypted devices only

Do not store Level 3 information on unencrypted devices. For more information on how to ensure that your devices are encrypted, see the checklist for encrypting your device type.

No Level 4 On Devices

Work from materials stored on approved servers or services and do not copy them to your local system. If you are conducting field research to collect Level 4 data and cannot meet this requirement send an email to ithelp@harvard.edu to request an information security consultation for Harvard-approved external encrypted portable storage media and process.