Level 4 servers must be kept in secure locations which are under University control and which restrict access to authorized users with verified credentials. For keyed access, doors must be locked and ID checked before allowing access. Whether card swipe or keyed access, all access must be logged and the logs must be periodically audited. Walls must be full height, i.e. floor to ceiling with no gaps.
Owners/managers of applications dealing with Level 4 information must designate which employees have permission to access the application from outside the Harvard wired network or other Harvard strongly authenticated and encrypted wireless network.
The firewall between the Level 4 server and networks that include user computers must be configured to only permit outbound traffic that is required properly operate the service provided by the Level 4 server