Level 2

Information the disclosure of which would not cause material harm, but which the University has chosen to keep confidential. Click on each Requirement to view how-tos for implementing the Requirement. 

No Shared Passwords

U1: Users’ passwords and other access credentials must never be shared.

Protect Passwords

U2: All passwords and other access credentials must be protected.

Different Passwords

U3: Different passwords must be used for Harvard and non-Harvard accounts.

Strong Passwords

U4: Passwords used on all systems for Harvard business should be of sufficient length and complexity to reasonably protect them from being guessed by humans or computers. (Most Harvard systems enforce length and complexity standards.)

Level 3 On Devices

U9: Information designated Level 3 must not be stored on user devices, or portable media, unless the device or media is encrypted.

Level 3 On Systems

U10: Information designated Level 3 or higher may only be used, stored or processed on servers or services (such as file sharing or collaboration services, cloud-based email services, cloud-based backup and recovery services, etc.) that meet applicable Harvard data protection requirements.

No Level 4 On Devices

U11: Information designated Level 4 or higher must not be stored on user computing devices, including portable computing devices such as laptops, smartphones, or tablets. Level 4 information may be stored on external encrypted portable storage media.

Loss of confidential information

U14: Any actual or suspected loss, theft, or improper use of or access to confidential information must be reported promptly.

Credit Card Transactions

U16: All users handling credit or debit card transactions must comply with University Cash Management requirements.

Configuring User Devices

D1: All user devices must be configured for secure operation. The device must be configured to limit access to the specific person or persons authorized to use the device.

Lost Devices

D2: The information stored on the device must be protected against access if the device is lost or stolen. All mobile devices (laptops, mobile phones, etc.) that may be used to store or access Harvard information, including accessing Harvard email, must be securely configured, including encryption.

Applying Patches

D3: Operating system and application patches must be applied promptly.

Configuring Applications

D4: Client applications on the device which might be used to access or transfer confidential information must be configured to protect their communications.

Disposing of Devices

D5: The information stored on the device must be protected against access when the device is disposed of.

Reporting Lost Device

D6: Any actual or suspected loss, theft, or improper use of a device storing confidential information must be reported promptly.

Device Management Systems

D7: Anyone deploying or using a device management system other than Blackberry Enterprise Server or Microsoft ActiveSync must contact the University Security Office.

Application owner and classification level

SA1: Server operators must be able to identify a responsible party, known as the business application owner, for each application on the server and the data classification level of the information that the application stores and processes.

Complex passwords

SA2: Servers and applications that manage passwords must force the setting of a complex password. This must meet the following requirements where technically feasible (consult the Security office if the following requirements are not technically feasible): Read more about Complex passwords

Server communication

SA3: Communications between servers or applications and client machines must be protected. 

Appropriate user access

SA6: Users must only be permitted to access a server or application after their current business need for access has been established.

Stored passwords

SA7: Systems that manage user passwords must be designed in such a way that the passwords are not retrievable by administrators.

Password Management

SA8: Mechanisms for users to set or change passwords must be secure. Systems that manage passwords must be configured securely. Storage and management of passwords requires L4 security.

Current patches

SA9: Operating system and application patches must be current.

Malware detection

SA10: Servers must be running applicable malware detection software with up-to-date signature files.

No shared accounts

SA11: Server operators must not knowingly permit shared user account credentials.

Scanning servers

SA12: All University owned servers must be annually scanned for the presence of High Risk Confidential Information (HRCI).

Highest classification

SA13: Servers storing or processing information belonging to more than one classification must meet the requirements associated with the highest classification.

Server operators

SA14: People responsible for the operation of servers must have the skills, experience and/or training needed to implement these requirements.

Limiting Access

P1: Access must be limited to those persons with valid business reasons to access the records.

Transferring Records

P4: Any physical transfer of records must use means that are appropriately secure and such transfers must be tracked to confirm that they actually reached the intended recipient.

Destroying Records

P6: Destruction of records must be accomplished by means that make it impossible to reconstruct the records.