Level 3

Central Authentication Services

SB12: Servers or applications handling data classified as L3 or higher, whether managed directly by Harvard or a contracted vendor (e.g. SaaS), must use a centrally-managed Harvard authentication system where feasible, e.g. HarvardKey or HUIT Active Directory, or an authentication system approved by the School or University CIO.

Secure disposal

SB11: Information designated level 3 or 4 must be properly disposed of by securely overwriting the information or physically destroying the media when no longer needed.

Reporting breaches

SB10: Server and application operators must promptly inform the proper authorities of any possible breaches.

Reviewing logs

SB9: The logs must periodically be reviewed for anomalous behavior.

Logging access

SB7: User and administrator access to servers and applications must be logged.

Theft or loss

SB6: Confidential information on servers and backup media must be protected against access in the case of physical theft or loss.

Improper access

SB5: Servers must be protected from improper network-based access.

Idle sessions

SB3: A mechanism must be used to force re-authentication to user accounts after an idle period.

Password guessing

SB2: Servers or applications must implement a mechanism that inhibits password guessing attacks on user accounts if the server or application does its own authentication.

Server operators

SA14: People responsible for the operation of servers must have the skills, experience and/or training needed to implement these requirements.

Highest classification

SA13: Servers storing or processing information belonging to more than one classification must meet the requirements associated with the highest classification.

Scanning servers

SA12: All University owned servers must be annually scanned for the presence of High Risk Confidential Information (HRCI).

No shared accounts

SA11: Server operators must not knowingly permit shared user account credentials.

Malware detection

SA10: Servers must be running applicable malware detection software with up-to-date signature files.