Level 2

Log Retention

SC10: Logs required by the Harvard Information Security Policy must be retained for a minimum of 90 days, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's...

Read more about Log Retention

Server operators

SA14: People responsible for the operation of servers must have the skills, experience and/or training needed to implement these requirements, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).

Highest classification

SA13: Servers storing or processing information belonging to more than one classification must meet the requirements associated with the highest classification, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).

No shared accounts

SA11: Server operators must not knowingly permit shared user account credentials, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).

Malware detection and endpoint detection and response

SA10: All servers must run malware detection and endpoint detection and response software with up-to-date signature files, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).

Current patches

SA9: Operating system and application patches must be current and supported by the vendor or Open Source project, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).

Password Management

SA8: Mechanisms for users to set or change passwords must be secure. Systems that manage passwords must be configured securely. Storage and management of passwords requires L4 security.

Stored passwords

SA7: Systems that manage user passwords and other access credentials must be designed in such a way that the passwords are not retrievable by administrators.

Appropriate user access

SA6: Users must only be permitted to access a server or application after their current business need for access has been established, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).

Default passwords and generic accounts

SA5: Default passwords must be changed and generic accounts must be disabled or removed before the server or application is put into use, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).          

Server-application communication

SA4: Communications between servers or applications must be protected, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).

Server communication

SA3: Communications between servers or applications and client machines must be protected, whether these servers are managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).

Complex passwords

SA2: Servers and applications that manage passwords must force the setting of a complex password. Further, they must enforce multi-factor authentication where technically possible. Complexity and reset frequency must meet the following requirements where technically feasible (consult the Security office if the following requirements are not technically feasible):... Read more about Complex passwords

Application owner and classification level

SA1: Server operators must be able to identify a responsible party, known as the business application owner, for each application on the server and the data classification level of the information that the application stores and processes.