Level 3 On Devices

U9: Information designated Level 3 must not be stored on user devices, or portable media, unless the device or media is encrypted.

Strong Passwords

U4: Passwords used on all systems for Harvard business should be of sufficient length and complexity to reasonably protect them from being guessed by humans or computers. Further, users must leverage multi-factor authentication (two-step verification) wherever supported. (Harvard systems behind HarvardKey authentication will meet our length, complexity, and multi-factor standards.)

Different Passwords

U3: Different passwords must be used for Harvard and non-Harvard accounts.

Protect Passwords

U2: All passwords and other access credentials must be protected. They must never be stored in plaintext and must not be stored directly in scripts or configuration files.

No Shared Passwords

U1: Users’ passwords and other access credentials must never be shared.