No Level 4 On Devices

Work from materials stored on approved servers or services and do not copy them to your local system. If you are conducting field research to collect Level 4 data and cannot meet this requirement send an email to to request an information security consultation for Harvard-approved external encrypted portable storage media and process.

Overwrite data or shred the storage media

  • On smartphones, tablets, and encrypted USB thumb drives: enter incorrect passwords until device reformats itself, or select Factory Reset in Settings
  • On personally-owned laptops: remove and shred hard drive or activate full disk encryption using secret key (password) you don't share
  • For Harvard-purchased or Harvard-managed devices: contact local IT Support for pick-up or drop-off of devices so they can remove data and recycle
  • For CD/DVD: Shred at provided shredders or contact local IT Support

Require use of encrypted protocols

Set to require the use of SSL, TLS or other encrypted protocol for email and calendar access. Regardless of device type, if you are considering use of applications that will access or transfer Harvard confidential information and have questions about whether this is appropriate, contact your help desk.

Apply patches promptly

Keep the device’s OS current and apply all OS and application patches in a timely fashion (enable auto update apps if available). See "How to Work With User Devices" checklists for your device type.

Device Management Systems

D7: Anyone deploying or using a mobile device management system other than Microsoft ActiveSync must contact the University Security Office.

Reporting Lost Device

D6: Any actual or suspected loss, theft, or improper use of a device storing confidential information must be reported promptly.

Disposing of Devices

D5: The information stored on the device must be protected against access when the device is disposed of.

Configuring Applications

D4: Client applications on the device which might be used to access or transfer confidential information must be configured to protect their communications.

Applying Patches

D3: Operating system and application patches must be applied promptly.

Protecting Information on Devices against Loss, Theft, or Reuse

D2: The information stored on the device must be protected against access if the device is lost, stolen, or recycled/reissued to another user. All mobile devices (laptops, mobile phones, etc.) and workstations that may be used to store or access Harvard information, including accessing Harvard email, must be securely configured, including encryption of data stored on the device, where this feature is supported.

Configuring Devices

Note: Enforcement of configurations for personally-managed devices will be phased in, beginning with alerts of non-compliance and grace periods to resolve detected gaps.
D1: All devices connecting to or installed on a non-guest Harvard network or authenticating to Harvard applications must be configured for secure operation, including non-default unique passwords/credentials that limit access to authorized individuals and services, proper registration of the device on the network, current and supported operating system (firmware and software), regular updates and...

Read more about Configuring Devices