Information which would likely cause serious harm to individuals or the University if disclosed. Click on a Requirement for more detailed instructions on how to implement the Requirement.
U2: All passwords and other access credentials must be protected. They must never be stored in plaintext and must not be stored directly in scripts or configuration files.
U4: Passwords used on all systems for Harvard business should be of sufficient length and complexity to reasonably protect them from being guessed by humans or computers. Further, users must leverage multi-factor authentication (two-step verification) wherever supported. (Harvard systems behind HarvardKey authentication will meet our length, complexity, and multi-factor standards.)
U8: All devices (including desktops, laptops and mobile devices such as smartphones and tablets) storing or processing confidential information must meet Harvard device protection requirements.
U10: Information designated Level 3 or higher may only be used, stored or processed on servers or services (such as file sharing or collaboration services, file transfer systems, cloud-based backup and recovery services, etc.) that meet applicable Harvard data protection requirements.
U11: Information designated Level 4 or higher must not be stored on user computing devices, including portable computing devices such as laptops, smartphones, or tablets. Level 4 information may be stored on external encrypted portable storage media.
U15: All users of confidential Information must both acknowledge a confidentiality agreement and be appropriately trained. Information Security Awareness training for staff is available and required.
P4: Any physical transfer of records must use means that are appropriately secure and such transfers must be tracked to confirm that they actually reached the intended recipient.
P5: Level 3 or 4 records can be faxed to a non-public fax machine only if arrangements have been made so that the intended recipient will take the copies off the machine immediately upon receipt.
V2. Written contracts including appropriate university riders must be executed with all vendors/other third parties who collect, process, host, or store information classified as Level 3 and above. ...
V3: The security design, policies, and procedures of vendors and other third parties who will collect, process, host or store Level 4 information or manage Harvard critical systems must be reviewed by a University Information Security Officer. Find out more about Vendor Reviews.
SA1: Server operators must be able to identify a responsible party, known as the business application owner, for each application on the server and the data classification level of the information that the application stores and processes.
SA2: Servers and applications that manage passwords must force the setting of a complex password. Further, they must enforce multi-factor authentication where technically possible. Complexity and reset frequency must meet the following requirements where technically feasible (consult the Security office if the following requirements are not technically feasible):... Read more about Complex passwords
SA3: Communications between servers or applications and client machines must be protected, whether these servers are managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).
SA4: Communications between servers or applications must be protected, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).
SA5: Default passwords must be changed and generic accounts must be disabled or removed before the server or application is put into use, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).
SA6: Users must only be permitted to access a server or application after their current business need for access has been established, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).
SA7: Systems that manage user passwords and other access credentials must be designed in such a way that the passwords are not retrievable by administrators.
SA8: Mechanisms for users to set or change passwords must be secure. Systems that manage passwords must be configured securely. Storage and management of passwords requires L4 security.
SA9: Operating system and application patches must be current and supported by the vendor or Open Source project, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).
SA10: All servers must run malware detection and endpoint detection and response software with up-to-date signature files, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).
SA11: Server operators must not knowingly permit shared user account credentials, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).
SA13: Servers storing or processing information belonging to more than one classification must meet the requirements associated with the highest classification, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).
SA14: People responsible for the operation of servers must have the skills, experience and/or training needed to implement these requirements, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).
SB2: Servers or applications must implement a mechanism that inhibits password guessing attacks on user accounts if the server or application does its own authentication, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).
SB3: A mechanism must be used to force re-authentication to user accounts after an idle period, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).
SB5: Servers must be protected from improper network-based access, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).
SB7: User and administrator access to servers and applications must be logged, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).
SB8: Administrative functions on servers and applications must be logged, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).
SB9: The logs must periodically be reviewed for anomalous behavior, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).
SSN1: All records compiled or maintained by or for Harvard that contain full SSNs plus other information that can connect the record to an individual (e.g. date of birth, phone number, address, etc.), wherever located and whatever the format, are High Risk Confidential Information and must satisfy the applicable processing and protection requirements for Level 4 data.
SSN2: New collection processes or new research grants effective on or after July 1, 2017: Identifiable records containing full SSNs may be compiled and maintained only to comply with a specific legal requirement. Full SSNs plus identifiable information may only be used or printed in documents where it is legally required. Identifiable records with full SSNs may not be compiled or maintained if there is no legal requirement for that specific data. For example, maintaining full SSNs only as a tool for differentiating records does not satisfy a legal requirement; the same purpose could be...
SSN3: When no longer required by law or for the business purpose approved through the exception process, electronic or printed identifiable records containing full SSNs and not subject to a legal hold must be properly disposed of so that the information cannot be retrieved or reassembled. In cases where selected records are identified as having archival value, such as stated in the General Records Schedule, those records are to be transferred securely to the Harvard University Archives (HUA), school-specific archives, or appropriate Harvard specialty archives and then securely removed from...
SSN4: The Harvard “business owner” of any records containing identifiable records with full SSNs, whether electronic or paper, stored by the Harvard unit or by a vendor, must annually report that there are such records and describe the system or systems on which they are maintained, the retention schedule, the location of the system(s), and the approximate number of such records containing full SSNs.