1. All users are responsible for protecting Harvard confidential information that they use in any form from unauthorized access and use.

Credit Card Transactions

U16: All users handling credit or debit card transactions must comply with University Cash Management requirements.

Configuring User Devices

D1: All user devices must be configured for secure operation. The device must be configured to limit access to the specific person or persons authorized to use the device.

Disposing of Devices

D5: The information stored on the device must be protected against access when the device is disposed of.

Lost Devices

D2: The information stored on the device must be protected against access if the device is lost or stolen. All mobile devices (laptops, mobile phones, etc.) that may be used to store or access Harvard information, including accessing Harvard email, must be securely configured, including encryption.

Server operators

SA14: People responsible for the operation of servers must have the skills, experience and/or training needed to implement these requirements.

Application owner and classification level

SA1: Server operators must be able to identify a responsible party, known as the business application owner, for each application on the server and the data classification level of the information that the application stores and processes.