Level 3

Central Authentication Services

SB12: Servers or applications classified as medium risk or higher, or handling data classified as L3 or higher, whether managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS), must use a centrally-managed Harvard authentication system that requires more than one factor for authentication where technically feasible, e.g. HarvardKey or Harvard VPN, or comparable non-Harvard multi-factor authentication system (supported/approved by Harvard). 

Secure disposal

SB11: Information designated level 3 or 4 must be properly disposed of by securely overwriting the information or physically destroying the media when no longer needed.

Reporting breaches

SB10: Server and application operators must promptly inform the proper authorities of any possible breaches.

Reviewing logs

SB9: The logs must periodically be reviewed for anomalous behavior.

Logging access

SB7: User and administrator access to servers and applications must be logged.

Theft or loss

SB6: Confidential information on servers and backup media must be protected against access in the case of physical theft or loss.

Improper access

SB5: Servers must be protected from improper network-based access.

Idle sessions

SB3: A mechanism must be used to force re-authentication to user accounts after an idle period.

Password guessing

SB2: Servers or applications must implement a mechanism that inhibits password guessing attacks on user accounts if the server or application does its own authentication.

Server operators

SA14: People responsible for the operation of servers must have the skills, experience and/or training needed to implement these requirements.

Highest classification

SA13: Servers storing or processing information belonging to more than one classification must meet the requirements associated with the highest classification.

No shared accounts

SA11: Server operators must not knowingly permit shared user account credentials.

Current patches

SA9: Operating system and application patches must be current and supported by the vendor or Open Source project.

Pages