Level 4

Report location and volumes of identifiable records with full Social Security Numbers annually

SSN4: The Harvard “business owner” of any records containing identifiable records with full SSNs, whether electronic or paper, stored by the Harvard unit or by a vendor, must annually report that there are such records and describe the system or systems on which they are maintained, the retention schedule, the location of the system(s), and the approximate number of such records containing full SSNs.

 

Dispose of or archive identifiable records with full Social Security Numbers securely when retention no longer required by law

SSN3: When no longer required by law or for the business purpose approved through the exception process, electronic or printed identifiable records containing full SSNs and not subject to a legal hold must be properly disposed of so that the information cannot be retrieved or reassembled. In cases where selected records are identified as having archival value, such as stated in the General Records Schedule, those records are to be transferred securely to the Harvard University Archives (HUA), school-specific archives, or appropriate Harvard specialty archives and then securely removed from...

Read more about Dispose of or archive identifiable records with full Social Security Numbers securely when retention no longer required by law

Compile and maintain identifiable records with Social Security Numbers only when required by law

SSN2: New collection processes or new research grants effective on or after July 1, 2017: Identifiable records containing full SSNs may be compiled and maintained only to comply with a specific legal requirement. Full SSNs plus identifiable information may only be used or printed in documents where it is legally required. Identifiable records with full SSNs may not be compiled or maintained if there is no legal requirement for that specific data. For example, maintaining full SSNs only as a tool for differentiating records does not satisfy a legal requirement; the same purpose could be...

Read more about Compile and maintain identifiable records with Social Security Numbers only when required by law

Protect identifiable records with Social Security Numbers according to Level 4 requirements

SSN1: All records compiled or maintained by or for Harvard that contain full SSNs plus other information that can connect the record to an individual (e.g. date of birth, phone number, address, etc.), wherever located and whatever the format, are High Risk Confidential Information and must satisfy the applicable processing and protection requirements for Level 4 data.

Central Authentication Services

SB12: Servers or applications handling data classified as L3 or higher, whether managed directly by Harvard or a contracted vendor (e.g. SaaS), must use a centrally-managed Harvard authentication system where feasible, e.g. HarvardKey or HUIT Active Directory, or an authentication system approved by the School or University CIO.

Protecting Servers

SC9: Servers on the same subnet must be protected against attack from each other.

Secure locations

SC8: Servers must be kept in secure locations and properly inventoried.

User access

SC7: User access to level 4 information on servers must be logged.

Access logs

SC6: Logs of user and administrator access to servers and applications must be securely maintained on a remote computer.

Permitted access

SC5: The business application owner for applications dealing with Level 4 information must designate which employees have permission to access level 4 information about others from outside the Harvard wired or other Harvard strongly authenticated and encrypted wireless network.

Outbound traffic

SC4: Outbound traffic from servers must be limited to that required to properly operate the service.

Server vulnerability

SC3: Server operators must take reasonable actions on a regular basis to ensure that their systems are not vulnerable to attack.

External access

SC1: Servers must not be directly accessible from the Internet or from parts of the Harvard network where there are user computers.

Secure disposal

SB11: Information designated level 3 or 4 must be properly disposed of by securely overwriting the information or physically destroying the media when no longer needed.

Pages