Level 3

Information which could cause risk of material harm to individuals or the University if disclosed. Click each Requirement to see associated How-Tos which will provide directions to comply with the Requirement.

No Shared Passwords

U1: Users’ passwords and other access credentials must never be shared.

Protect Passwords

U2: All passwords and other access credentials must be protected.

Different Passwords

U3: Different passwords must be used for Harvard and non-Harvard accounts.

Strong Passwords

U4: Passwords used on all systems for Harvard business should be of sufficient length and complexity to reasonably protect them from being guessed by humans or computers. (Most Harvard systems enforce length and complexity standards.)

Level 3 On Devices

U9: Information designated Level 3 must not be stored on user devices, or portable media, unless the device or media is encrypted.

Level 3 On Systems

U10: Information designated Level 3 or higher may only be used, stored or processed on servers or services (such as file sharing or collaboration services, cloud-based email services, cloud-based backup and recovery services, etc.) that meet applicable Harvard data protection requirements.

No Level 4 On Devices

U11: Information designated Level 4 or higher must not be stored on user computing devices, including portable computing devices such as laptops, smartphones, or tablets. Level 4 information may be stored on external encrypted portable storage media.

Loss of confidential information

U14: Any actual or suspected loss, theft, or improper use of or access to confidential information must be reported promptly.

Credit Card Transactions

U16: All users handling credit or debit card transactions must comply with University Cash Management requirements.

Configuring User Devices

D1: All user devices must be configured for secure operation. The device must be configured to limit access to the specific person or persons authorized to use the device.

Lost Devices

D2: The information stored on the device must be protected against access if the device is lost or stolen. All mobile devices (laptops, mobile phones, etc.) that may be used to store or access Harvard information, including accessing Harvard email, must be securely configured, including encryption.

Applying Patches

D3: Operating system and application patches must be applied promptly.

Configuring Applications

D4: Client applications on the device which might be used to access or transfer confidential information must be configured to protect their communications.

Disposing of Devices

D5: The information stored on the device must be protected against access when the device is disposed of.

Reporting Lost Device

D6: Any actual or suspected loss, theft, or improper use of a device storing confidential information must be reported promptly.

Device Management Systems

D7: Anyone deploying or using a device management system other than Blackberry Enterprise Server or Microsoft ActiveSync must contact the University Security Office.

Limiting Access

P1: Access must be limited to those persons with valid business reasons to access the records.

Transferring Records

P4: Any physical transfer of records must use means that are appropriately secure and such transfers must be tracked to confirm that they actually reached the intended recipient.

Coordinating Faxes

P5: Level 3 or 4 records can be faxed to a non-public fax machine only if arrangements have been made so that the intended recipient will take the copies off the machine immediately upon receipt.

Destroying Records

P6: Destruction of records must be accomplished by means that make it impossible to reconstruct the records.

Password guessing

SB2: Servers or applications must implement a mechanism that inhibits password guessing attacks on user accounts if the server or application does its own authentication.

Application owner and classification level

SA1: Server operators must be able to identify a responsible party, known as the business application owner, for each application on the server and the data classification level of the information that the application stores and processes.

Appropriate user access

SA6: Users must only be permitted to access a server or application after their current business need for access has been established.

Central Authentication Services

SB12: Servers or applications handling data classified as L3 or higher, whether managed directly by Harvard or a contracted vendor (e.g. SaaS), must use a centrally-managed Harvard authentication system where feasible, e.g. HarvardKey or HUIT Active Directory, or an authentication system approved by the School or University CIO.

Complex passwords

SA2: Servers and applications that manage passwords must force the setting of a complex password. This must meet the following requirements where technically feasible (consult the Security office if the following requirements are not technically feasible): Read more about Complex passwords

Current patches

SA9: Operating system and application patches must be current.

Highest classification

SA13: Servers storing or processing information belonging to more than one classification must meet the requirements associated with the highest classification.

Idle sessions

SB3: A mechanism must be used to force re-authentication to user accounts after an idle period.

Improper access

SB5: Servers must be protected from improper network-based access.

Logging access

SB7: User and administrator access to servers and applications must be logged.

Malware detection

SA10: Servers must be running applicable malware detection software with up-to-date signature files.

No shared accounts

SA11: Server operators must not knowingly permit shared user account credentials.

Password Management

SA8: Mechanisms for users to set or change passwords must be secure. Systems that manage passwords must be configured securely. Storage and management of passwords requires L4 security.

Reporting breaches

SB10: Server and application operators must promptly inform the proper authorities of any possible breaches.

Reviewing logs

SB9: The logs must periodically be reviewed for anomalous behavior.

Scanning servers

SA12: All University owned servers must be annually scanned for the presence of High Risk Confidential Information (HRCI).

Secure disposal

SB11: Information designated level 3 or 4 must be properly disposed of by securely overwriting the information or physically destroying the media when no longer needed.

Server communication

SA3: Communications between servers or applications and client machines must be protected. 

  •  
  • 1 of 2
  • »