Level 3

Information which could cause risk of material harm to individuals or the University if disclosed. Click each Requirement to see associated How-Tos which will provide directions to comply with the Requirement.

No Shared Passwords

U1: Users’ passwords and other access credentials must never be shared.

Protect Passwords

U2: All passwords and other access credentials must be protected.

Different Passwords

U3: Different passwords must be used for Harvard and non-Harvard accounts.

Strong Passwords

U4: Passwords used on all systems for Harvard business should be of sufficient length and complexity to reasonably protect them from being guessed by humans or computers. (Most Harvard systems enforce length and complexity standards.)

Level 3 On Devices

U9: Information designated Level 3 must not be stored on user devices, or portable media, unless the device or media is encrypted.

Level 3 On Systems

U10: Information designated Level 3 or higher may only be used, stored or processed on servers or services (such as file sharing or collaboration services, cloud-based email services, cloud-based backup and recovery services, etc.) that meet applicable Harvard data protection requirements.

No Level 4 On Devices

U11: Information designated Level 4 or higher must not be stored on user computing devices, including portable computing devices such as laptops, smartphones, or tablets. Level 4 information may be stored on external encrypted portable storage media.

Loss of confidential information

U14: Any actual or suspected loss, theft, or improper use of or access to confidential information must be reported promptly.

Credit Card Transactions

U16: All users handling credit or debit card transactions must comply with University Cash Management requirements.

Configuring User Devices

D1: All user devices must be configured for secure operation. The device must be configured to limit access to the specific person or persons authorized to use the device.

Lost Devices

D2: The information stored on the device must be protected against access if the device is lost or stolen. All mobile devices (laptops, mobile phones, etc.) that may be used to store or access Harvard information, including accessing Harvard email, must be securely configured, including encryption.

Applying Patches

D3: Operating system and application patches must be applied promptly.

Configuring Applications

D4: Client applications on the device which might be used to access or transfer confidential information must be configured to protect their communications.

Disposing of Devices

D5: The information stored on the device must be protected against access when the device is disposed of.

Reporting Lost Device

D6: Any actual or suspected loss, theft, or improper use of a device storing confidential information must be reported promptly.

Device Management Systems

D7: Anyone deploying or using a device management system other than Blackberry Enterprise Server or Microsoft ActiveSync must contact the University Security Office.

Limiting Access

P1: Access must be limited to those persons with valid business reasons to access the records.

Transferring Records

P4: Any physical transfer of records must use means that are appropriately secure and such transfers must be tracked to confirm that they actually reached the intended recipient.

Coordinating Faxes

P5: Level 3 or 4 records can be faxed to a non-public fax machine only if arrangements have been made so that the intended recipient will take the copies off the machine immediately upon receipt.

Destroying Records

P6: Destruction of records must be accomplished by means that make it impossible to reconstruct the records.

Server operators

SA14: People responsible for the operation of servers must have the skills, experience and/or training needed to implement these requirements.

Stored passwords

SA7: Systems that manage user passwords must be designed in such a way that the passwords are not retrievable by administrators.

Theft or loss

SB6: Confidential information on servers and backup media must be protected against access in the case of physical theft or loss.

  • «
  • 2 of 2
  •