U4: Passwords used on all systems for Harvard business should be of sufficient length and complexity to reasonably protect them from being guessed by humans or computers. (Most Harvard systems enforce length and complexity standards.)
U10: Information designated Level 3 or higher may only be used, stored or processed on servers or services (such as file sharing or collaboration services, cloud-based email services, cloud-based backup and recovery services, etc.) that meet applicable Harvard data protection requirements.
U11: Information designated Level 4 or higher must not be stored on user computing devices, including portable computing devices such as laptops, smartphones, or tablets. Level 4 information may be stored on external encrypted portable storage media.
V2: Contracts with vendors managing Level 3 or Level 4 information must contain specific confidentiality language approved by the Office of General Counsel (OGC), or be reviewed by the OGC. Find out more about appropriate Contract Riders for Vendors.
V3: The security design, policies, and procedures of vendors and parties who will collect, process, host or store Level 4 information must be reviewed by a University Information Security Officer. Find out more about appropriate Contract Riders for Vendors.
SA1: Server operators must be able to identify a responsible party, known as the business application owner, for each application on the server and the data classification level of the information that the application stores and processes.
SA2: Servers and applications that manage passwords must force the setting of a complex password. This must meet the following requirements where technically feasible (consult the Security office if the following requirements are not technically feasible): Read more about Complex passwords
SSN1: All records compiled or maintained by or for Harvard that contain full SSNs plus other information that can connect the record to an individual (e.g. date of birth, phone number, address, etc.), wherever located and whatever the format, are High Risk Confidential Information and must satisfy the applicable processing and protection requirements for Level 4 data.
SSN2: New collection processes or new research grants effective on or after July 1, 2017: Identifiable records containing full SSNs may be compiled and maintained only to comply with a specific legal requirement. Full SSNs plus identifiable information may only be used or printed in documents where it is legally required. Identifiable records with full SSNs may not be compiled or maintained if there is no legal requirement for that specific data. For example, maintaining full SSNs only as a tool for differentiating records does not satisfy a legal requirement; the same purpose could be
SSN3: When no longer required by law or for the business purpose approved through the exception process, electronic or printed identifiable records containing full SSNs and not subject to a legal hold must be properly disposed of so that the information cannot be retrieved or reassembled. In cases where selected records are identified as having archival value, such as stated in the General Records Schedule, those records are to be transferred securely to the Harvard University Archives (HUA), school-specific archives, or appropriate Harvard specialty archives and then securely removed from
SSN4: The Harvard “business owner” of any records containing identifiable records with full SSNs, whether electronic or paper, stored by the Harvard unit or by a vendor, must annually report that there are such records and describe the system or systems on which they are maintained, the retention schedule, the location of the system(s), and the approximate number of such records containing full SSNs.