Servers B

Central Authentication Services

SB12: Servers or applications classified as medium risk or higher, or handling data classified as L3 or higher, whether managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS), must use a centrally-managed Harvard authentication system that requires more than one factor for authentication where technically feasible, e.g. HarvardKey or Harvard VPN, or comparable non-Harvard multi-factor authentication system (supported/approved by Harvard). 

Securely overwrite or destroy physical media

Securely overwrite disk drives in servers at a block level or physically destroy when the server is removed from service or disk drives are permanently removed from servers.

Report possible breach, loss or theft of confidential information

The University CISO (see and the OGC must be informed of any known or suspected breach of a server containing confidential information. In addition, the University maintains a whistleblowing policy. The policy is intended to encourage all members of the Harvard community to report suspected violations of law or Harvard policy. The policy provides a mechanism for reporting and investigating suspected violations, including a Compliance Hotline which is available to University affiliated persons wishing to remain anonymous when reporting concerns...

Read more about Report possible breach, loss or theft of confidential information

Use software to review logs

Use software (e.g. Splunk) to periodically review the server and application logs to see if the system is under attack (e.g., many bad password guesses) and that the users are following documented practices (e.g., not logging as root).

Block excessive logins

 Block user from logging in for a period of time after no more than 10 successive invalid login attempts.