HOME /

Recent Policy Changes

The following changes to the Information Security Policy's Requirements and How-To's are in effect as of May 1st, 2022.

Requirements

  1. Central authentication required for all servers and systems where it is technically possible. If central authentication is not technically possible, multi-factor authentication must be used if available. Central authentication can be achieved through direct integration with HarvardKey, or by requiring HarvardKey protected VPN to connect. (View Requirement)
  2. Third-party level 3 access and up may only be approved within a contract that uses approved language from the Office of the General Counsel (OGC). Pre-approved contract riders are available, or contracts can be directly submitted to OGC for approval. (View Requirement)
  3. Level 4 data must be encrypted at rest. (View Requirement)
  4. Where logging is a requirement, logs should be retained for a minimum of 90 days. (View Requirement)
  5. Confidential information (Level 2+) must only be shared with those authorized to receive it. (View Requirement) - effective 8/8/23

How-To's

  1. (NEW) Manage Access: Use the Harvard Sponsored Role Portal portal to manage third party access. (View How-To)
  2. Vendor Contracts: Updated locations for pre-approved language from OGC. (View How-To)
  3. Level 4 data should be encrypted on cloud platforms such as AWS, Azure, and Google Cloud. (View How-To)
  4. Level 4 data backups should be encrypted. (View How-To)
  5. (NEW) Handle Logs Appropriately. Logs should be stored on a central log server or solution provided by vendor. On-prem and CloudShield2 should use HUIT SplunkCloud.(View How-To)
  6. Administrative audit logs should contain a timestamp, username, source IP address and the function/action performed.(View How-To)
  7. Vulnerability scanning software (Tenable) must be installed on all servers.(View How-To)
  8. Vulnerability scans must be run at least every 30 days.(View How-To)
  9. Patches must be installed within 30 days. Patches that address remote unauthenticated administrative access must be installed immediately.(View How-To)
  10. Passwords must be 12 characters long or 10 characters long and changed annually if multifactor authentication is not in use. (Up from 10 and 8 respectively) (View How-To)