Encryption should be implemented where feasible

Encryption should be implemented where technically and economically feasible.

Remote login must only permit the use of encrypted communications

Remote login to all servers must only permit the use of encrypted communications such as ssh. Windows servers must enforce a minimum of 128-bit encryption for Terminal Services and Remote Desktop communication. All servers running SSH must use a minimum of protocol version 2. Use 2-factor VPN to connect through the firewall first.

Windows file servers running SMBv3 must only permit use of encryption

Windows file servers running SMBv3 must only permit use of encryption.
https://docs.microsoft.com/en-us/windows-server/storage/file-server/smb-security

LDAP servers must only permit the use of SSL-protected LDAP connections

Disable the non-secure port.

Servers must only permit use of SSL-protected SQL communications

For database communication, either use SSL or any other available option to encrypt data over the network.

Email servers must only permit use of SSL-protected POP, IMAP or Exchange

https://www.vircom.com/blog/top-10-tips-to-secure-your-email-server/

Web servers must only permit use of https

How to set up an HTTPS Service in
IIS - https://support.microsoft.com/kb/324069
Apache - https://httpd.apache.org/docs/current/ssl/ssl_howto.html

Vendor contracts

Use the University Contract Rider to ensure vendor protection for confidential information. Refer to the Office of the General Counsel Model Documents for examples of approved consulting agreement, software agreement, and credit card merchant agreements. For complex or unusual agreements which may not be appropriately addressed through existing...

Inventory Level 4 servers appropriately

Inventory Level 4 servers on an annual basis. At a minimum, annually conduct a formal survey of server owners in your department and ask them to provide the following information for each server in their application portfolio:

Business or Practice name
Asset (server) name
System location
System purpose
Type of Level 4 information stored, e.g. SSN, credit card, bank account, driver's license, state ID, passport or visa, or biometric data
Type of environment, e.g. production, test, development
Server type, e.g. physical...

Keep Level 4 servers in secure locations

Level 4 servers must be kept in secure locations which are under University control and which restrict access to authorized users with verified credentials. For keyed access, doors must be locked and ID checked before allowing access. Whether card swipe or keyed access, all access must be logged and the logs must be periodically audited. Walls must be full height, i.e. floor to ceiling with no gaps.

Information Security Policy

Harvard University

How To