The following changes to the Information Security Policy's Requirements and How-To's are in effect as of May 1st, 2022.
Requirements
- Central authentication required for all servers and systems where it is technically possible. If central authentication is not technically possible, multi-factor authentication must be used if available. Central authentication can be achieved through direct integration with HarvardKey, or by requiring HarvardKey protected VPN to connect. (View Requirement)
- Third-party level 3 access and up may only be approved within a contract that uses approved language from the Office of the General Counsel (OGC). Pre-approved contract riders are available, or contracts can be directly submitted to OGC for approval. (View Requirement)
- Level 4 data must be encrypted at rest. (View Requirement)
- Where logging is a requirement, logs should be retained for a minimum of 90 days. (View Requirement)
- Confidential information (Level 2+) must only be shared with those authorized to receive it. (View Requirement) - effective 8/8/23
How-To's
- (NEW) Manage Access: Use the Harvard Sponsored Role Portal portal to manage third party access. (View How-To)
- Vendor Contracts: Updated locations for pre-approved language from OGC. (View How-To)
- Level 4 data should be encrypted on cloud platforms such as AWS, Azure, and Google Cloud. (View How-To)
- Level 4 data backups should be encrypted. (View How-To)
- (NEW) Handle Logs Appropriately. Logs should be stored on a central log server or solution provided by vendor. On-prem and CloudShield2 should use HUIT SplunkCloud.(View How-To)
- Administrative audit logs should contain a timestamp, username, source IP address and the function/action performed.(View How-To)
- Vulnerability scanning software (Tenable) must be installed on all servers.(View How-To)
- Vulnerability scans must be run at least every 30 days.(View How-To)
- Patches must be installed within 30 days. Patches that address remote unauthenticated administrative access must be installed immediately.(View How-To)
- Passwords must be 12 characters long or 10 characters long and changed annually if multifactor authentication is not in use. (Up from 10 and 8 respectively) (View How-To)