Information which could cause risk of material harm to individuals or the University if disclosed. Click each Requirement to see associated How-Tos which will provide directions to comply with the Requirement.
U4: Passwords used on all systems for Harvard business should be of sufficient length and complexity to reasonably protect them from being guessed by humans or computers. (Most Harvard systems enforce length and complexity standards.)
U10: Information designated Level 3 or higher may only be used, stored or processed on servers or services (such as file sharing or collaboration services, cloud-based email services, cloud-based backup and recovery services, etc.) that meet applicable Harvard data protection requirements.
U11: Information designated Level 4 or higher must not be stored on user computing devices, including portable computing devices such as laptops, smartphones, or tablets. Level 4 information may be stored on external encrypted portable storage media.
D2: The information stored on the device must be protected against access if the device is lost or stolen. All mobile devices (laptops, mobile phones, etc.) that may be used to store or access Harvard information, including accessing Harvard email, must be securely configured, including encryption.
V2: Contracts with vendors managing Level 3 or Level 4 information must contain specific confidentiality language approved by the Office of General Counsel (OGC), or be reviewed by the OGC. Find out more about appropriate Contract Riders for Vendors.