U1: Users’ passwords and other access credentials must never be shared.

U2: All passwords and other access credentials must be protected.

U3: Different passwords must be used for Harvard and non-Harvard accounts.

U4: Passwords used on all systems for Harvard business should be of sufficient length and complexity to reasonably protect them from being guessed by humans or computers. (Harvard systems behind HarvardKey authentication will meet our length and complexity standards.)

U5: Passwords must be changed immediately if there is suspicion of compromise.

U6: Confidential information must only be accessed for authorized purposes.

U7: Confidential information must only be shared with those authorized to receive it.

U8: All devices (including desktops, laptops and mobile devices such as smartphones and tablets) storing or processing confidential information must meet Harvard device protection requirements.

See User Device Requirements.

U10: Information designated Level 3 or higher may only be used, stored or processed on servers or services (such as file sharing or collaboration services, file transfer systems, cloud-based backup and recovery services, etc.) that meet applicable Harvard data protection requirements.

U11: Information designated Level 4 or higher must not be stored on user computing devices, including portable computing devices such as laptops, smartphones, or tablets. Level 4 information may be stored on external encrypted portable storage media.

U12: Confidential information in any form must be appropriately protected.

U13: Confidential information in any form must be appropriately disposed of when it is no longer needed.

U14: Any actual or suspected loss, theft, or improper use of or access to confidential information must be reported promptly.

U15: All users of confidential Information must both acknowledge a confidentiality agreement and be appropriately trained. Information Security Awareness training for staff is available and required.

U16: All users handling credit or debit card transactions must comply with University Cash Management requirements.

P1: Access must be limited to those persons with valid business reasons to access the records.

P2: Records must be locked up when not in active use.

P3: All access to records containing Level 4 data other than access for ordinary business purposes must be logged.

P4: Any physical transfer of records must use means that are appropriately secure and such transfers must be tracked to confirm that they actually reached the intended recipient.

P5: Level 3 or 4 records can be faxed to a non-public fax machine only if arrangements have been made so that the intended recipient will take the copies off the machine immediately upon receipt.

P6: Destruction of records must be accomplished by means that make it impossible to reconstruct the records.

V1: Written contracts must be executed with all vendors and other third parties who collect, process, host or store Level 3 or 4 information or have access to Harvard sensitive systems. Find out more about appropriate Contract Riders for Vendors.

V2: Contracts with vendors managing Level 3 or Level 4 information or managing Harvard sensitive systems must contain specific confidentiality and security language already approved by the Office of General Counsel (OGC), or be reviewed by the OGC. Find out more about approved Contract Riders for Vendors.

V3: The security design, policies, and procedures of vendors and other third parties who will collect, process, host or store Level 4 information or manage Harvard critical systems must be reviewed by a University Information Security Officer. Find out more about Vendor Reviews.

SB10: Server and application operators must promptly inform the appropriate escalation contacts of any possible breaches, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).

SB11: Information designated level 3 or 4 must be properly disposed of by securely overwriting the information or physically destroying the media when no longer needed, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).

SC1: Servers must not be directly accessible from the Internet or from parts of the internal network where there are user computers, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).

SC2: Servers with Level 4 information must be on private address space, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).

SC3: Server operators must take reasonable actions on a regular basis to ensure that their systems are not vulnerable to attack, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).

SC4: Outbound traffic from servers must be limited to that required to properly operate the service, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).

SC5: The business application owner for applications dealing with Level 4 information must designate which employees have permission to access level 4 information about others from outside the Harvard wired or other Harvard strongly authenticated and encrypted wireless network.

SC6: Logs of user and administrator access to servers and applications must be securely maintained on a remote computer, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).

SC7: User access to level 4 information on servers must be logged, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).

SC8: Servers must be kept in secure locations and properly inventoried, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).

SC9: Servers on the same subnet must be protected against attack from each other, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).

SB12: Servers or applications classified as medium risk or higher, or handling data classified as L3 or higher, whether managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS), must use a centrally-managed Harvard authentication system that requires more than one factor for authentication where technically feasible, e.g. HarvardKey or Harvard VPN, or comparable non-Harvard multi-factor authentication system (supported/approved by Harvard). 

SSN1: All records compiled or maintained by or for Harvard that contain full SSNs plus other information that can connect the record to an individual (e.g. date of birth, phone number, address, etc.), wherever located and whatever the format, are High Risk Confidential Information and must satisfy the applicable processing and protection requirements for Level 4 data.

SSN2: New collection processes or new research grants effective on or after July 1, 2017: Identifiable records containing full SSNs may be compiled and maintained only to comply with a specific legal requirement. Full SSNs plus identifiable information may only be used or printed in documents where it is legally required. Identifiable records with full SSNs may not be compiled or maintained if there is no legal requirement for that specific data. For example, maintaining full SSNs only as a tool for differentiating records does not satisfy a legal requirement; the same purpose could be...

SSN3: When no longer required by law or for the business purpose approved through the exception process, electronic or printed identifiable records containing full SSNs and not subject to a legal hold must be properly disposed of so that the information cannot be retrieved or reassembled. In cases where selected records are identified as having archival value, such as stated in the General Records Schedule, those records are to be transferred securely to the Harvard University Archives (HUA), school-specific archives, or appropriate Harvard specialty archives and then securely removed from...

SSN4: The Harvard “business owner” of any records containing identifiable records with full SSNs, whether electronic or paper, stored by the Harvard unit or by a vendor, must annually report that there are such records and describe the system or systems on which they are maintained, the retention schedule, the location of the system(s), and the approximate number of such records containing full SSNs.