How To

Report location and volumes of identifiable records with full Social Security Numbers annually

 

When collected for legal requirements: Complete the online form Full SSNs Collected for Legal Requirements for each system or process collecting or storing full SSNs and submit it to the University Information Security office. Contact the Information Security Office at itsec-ec@harvard.edu to request access to the reporting form, as needed.
When collected for business purposes and not a legal requirement:...

Read more about Report location and volumes of identifiable records with full Social Security Numbers annually

Archive selected identifiable records with full Social Security Numbers securely

See www.grs.harvard.edu for retention schedules and Archive transfer instructions. After secure transfer of the selected records is complete, securely dispose of remaining records in your control that are no longer required by law. Note: Records transferred to HUA are restricted for 80 years and then may be released for research use. The repository may elect to redact the pertinent HRCI information on a case-by-case basis prior to release.

Seek an exception to compile and maintain identifiable records with full Social Security Numbers when not required by law

In certain cases, there may be contracted business partners that require full SSN plus identifying information to complete specific transactions for us, but which do not fulfill a legal requirement for using a full SSN. For example, certain insurance providers may still identify policy holders according to a full SSN, and an alternate identifier or truncated SSN would break their processing service. In such cases, the group with that business need should complete an online...

Read more about Seek an exception to compile and maintain identifiable records with full Social Security Numbers when not required by law

Important Steps for Configuring Active Directory

 

Logging:

  • Keep domain controller logs centrally.
  • Keep security logs from all domain joined servers centrally.
  • Create and monitor alerts on:
    • The use (success or failure) of any domain administrator credentials.
    • The use of any local administrator credentials.
    • Changes to domain administrator or other sensitive groups in AD.

Cached Credentials:

  • Use GPO to set cached credentials on servers to the minimum you possibly can (0 or 1 for servers - for desktops, you may find...
Read more about Important Steps for Configuring Active Directory

Use External Encrypted Portable Media Storage

Portable storage media, such as approved USB drives, optical and tape media must be encrypted with strong passwords and proper key management in order to store Level 4 information. If you need an approved USB drive, have questions or need help, send an email to ithelp@harvard.edu to request an information security consultation for Harvard-approved external encrypted portable storage media.

Connect servers individually to network devices

Servers on the subnet may be individually connected to network devices that are configured to block all server-to-server communications except where communication is specifically required.

Configure host based firewalls

Servers may be configured with host-based firewalls that are configured to block all server-to-server communications except where communication is specifically required.