Harvard University Information Security | HARVARD.EDU

SA6

Users of administrative accounts on certain enterprise systems must complete the account attestation process.

Administrative Account Attestation for Enterprise SystemsThe annual administrative account attestation process is...

Ensure users agree to access only required specific information

User must agree annually (via confidentiality reminder) to only access the specific information they have a business reason to access.

Make use of user groupings

Make use of user groupings to determine authorization (for example, via groups in ActiveDirectory or LDAP or by using AuthZProxy or Grouper).

Review active accounts

Send a list of active accounts to the business owner monthly to review; ideally this will be done via a trackable mechanism such as Service Now.

Disable account access

Disable account access if user leaves University or changes jobs such that they no longer have a business need to access the information; the best way to do this is by using the central authentication service.

Appropriate user access

SA6: Users must only be permitted to access a server or application after their current business need for access has been established, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).

Information Security Policy

Harvard University

SA6