#  Apply Standards 

 



 ![Apply Standards](/sites/g/files/omnuum12036/files/2025-02/applystandards.png)

 

The Minimum Standards are a set of fundamental cybersecurity criteria designed to ensure a consistent baseline is applied across University assets. These standards help students, faculty, and staff protect University assets, safeguard data integrity, prevent unauthorized access, and comply with both internal policy and external regulatory obligations.

- Researchers should visit the OVPR’s [Research Data Management site](https://research.harvard.edu/research-policies-compliance/research-data-management/) for additional policy considerations.
- Contractual or legal requirements may override these standards.
- Institutional policy or system limitations may override these standards.



 

  Open all sections   Close all sections  



###    Examples: When Contractual or Legal Requirements May Override These Standards  expand\_more  

**Regulated Data (HIPAA, FERPA, PCI DSS):** You may need to set up systems with special security controls like encryption or audit logs for health, student, or credit card data.

**Sponsored Research Projects:** Grant or sponsor requirements might require you to use specific security standards (like NIST or FISMA) when configuring your systems.

**Vendor or Cloud Agreements:** Some contracts with vendors or cloud providers may limit which security settings or locations you can use for your systems.

**International Data Laws (GDPR):** Sometimes, you must configure systems to store or process data only in certain regions to follow international or local laws.

 

 



###    Examples: When Institutional Policy or System Limitations May Override These Standards  expand\_more  

**Legacy Systems:** There may be older (legacy) systems that cannot meet every aspect of the Minimum Standard (for example, lacking support for modern encryption).

**Vendor Constraints:** Some third-party software or platforms may have built-in restrictions that prevent full alignment with the Minimum Standard.

**Business Continuity/Emergency Needs:** During declared emergencies or business continuity events, temporary exceptions might be required for operational needs.

**Accessibility and Accommodation:** To accommodate Community Members with disabilities, alternative configurations or technologies might be required.

*In these cases, documented exceptions and compensating controls are typically required.*

 

 



 

 

 

 

---

 

##  University Minimum Standards 

- Use the University Risk Classification schema to determine which Minimum Standard should be applied.
- Only high level requirements are represented in the tables below. Use the linked guides to apply the Minimum Standards.
- Level 5 (Federal Requirements): Reserved for exceptional cases. If you think your data meets Level 5, contact your School Privacy & Security Officer for guidance.

 

 [ Classify Risk arrow\_circle\_right ](/classify-risk) 

 



 Personal Devices University Devices Servers SaaS IaaS 

## Personal Devices

Computers, laptops and mobile devices. Purchased and maintained by a community member.

[**Use this How To Guide for additional details**](https://harvard.service-now.com/ithelp?id=kb_article&sys_id=910b8fb6474e5250bfa5f97c416d4362) to apply the Minimum Standards (HarvardKey required).

 

 

SortRequirementWhat to do -Levels 1&2Level 3Level 4\*Network Registration

Register devices before connecting to the University network.

✔️

✔️

n/a

Passwords

Create strong, unique passwords. Use Multi-Factor Authentication where possible.

✔️

✔️

n/a

Account Permissions

Limit access to only those who need it.

✔️

✔️

n/a

Configuration

Configure devices and software securely including: updating, encryption and authentication.

✔️

✔️

n/a

Reporting Incidents

Report lost or stolen data, devices and any suspicious cyber activity.

✔️

✔️

n/a

Data Destruction

Securely dispose of data and devices.

✔️

✔️

n/a





\*Level 4 data should not be stored on personal devices. Use [University approved services or secure external media](/node/1582031#collabtools).



 



 

 

 

## University Devices

Computers, laptops and mobile devices. Purchased and maintained by the University (purchased through University Finance or research grants).

[**Use this How To Guide for additional details**](https://harvard.service-now.com/ithelp?id=kb_article&sys_id=ce160206474c66941469f46b416d4375) to apply the Minimum Standards (HarvardKey required).

 

 

SortRequirementWhat to do -Levels 1&2Level 3Level 4\*Network Registration

Register the device before connecting to the University network.

✔️

✔️

n/a

Asset Inventory

Maintain a comprehensive inventory of devices using a centralized system.

✔️

✔️

n/a

Apply Updates

Ensure that all systems and software are up to date.

✔️

✔️

n/a

Passwords

Create strong, unique passwords. Use Multi-Factor Authentication where possible.

✔️

✔️

n/a

Authentication

Require Multi-Factor Authentication. Integrate with Central Authentication Service where possible.

✔️

✔️

n/a

Account Permissions

Configure for least privilege. Use group policy. Integrate with Central Authorization Service where possible.

✔️

✔️

n/a

Default Accounts

Reset initial passwords, disable or render root/admin unusable.

✔️

✔️

n/a

Configuration

Apply standardized management tools on devices for configuration, including Centralized Managed Detection and Response.

✔️

✔️

n/a

File Permissions

Disable “public” permissions. 

✔️

✔️

n/a

Encryption at Rest

Enable encryption features to secure data stored on devices.

✔️

✔️

n/a

Encryption in Transit

Use current encryption protocols for data in transit.

✔️

✔️

n/a

Patching

Follow a managed patching schedule for operating system and software. Automate patching where possible.

✔️

✔️

n/a

Data Backups

Regularly back up documents to a secure location.

✔️

✔️

n/a

Reporting Incidents

Report lost or stolen data, devices and any suspicious cyber activity.

✔️

✔️

n/a

Data Destruction

Securely dispose of data and devices.

✔️

✔️

n/a





\*Level 4 data should not be stored on University devices. Use [University approved services or secure external media](/shield-data#collabtools "Shield Data").



 



 

 

 

## Servers

On premises or cloud based computing resource used for processing, storage, and application support.

[**Use this How To Guide for additional details**](https://harvard.service-now.com/ithelp?id=kb_article&sys_id=ce160206474c66941469f46b416d4375) to apply the Minimum Standards (HarvardKey required).

 

 

SortRequirementWhat to do -Levels 1&2Level 3Level 4Asset Inventory

Maintain a comprehensive inventory of servers using a centralized system.

✔️

✔️

✔️

Apply Updates

Ensure that all systems and software are up to date.

✔️

✔️

✔️

Passwords

Create strong, unique passwords. Use Multi-Factor Authentication where possible.

✔️

✔️

✔️

Authentication

Require Multi-Factor Authentication. Integrate with Central Authentication Service where possible.

✔️

✔️

✔️

Account Permissions

Configure for least privilege. Use group policy. Integrate with Central Authorization Service where possible.

✔️

✔️

✔️

Default Accounts

Reset initial passwords, disable or render root/admin unusable.

✔️

✔️

✔️

Configuration

Apply standardized management protocols across operating systems, including Centralized Managed Detection and Response.

✔️

✔️

✔️

File Permissions

Disable “public” permissions.

✔️

✔️

✔️

Encryption at Rest

Apply tools to encrypt data stored on disk.

❌ 

❌ 

✔️

Encryption in Transit

Use current encryption protocols for data in transit.

✔️

✔️

✔️

Network Access

Use private IP addresses and restrict outbound traffic to necessary functions.

❌ 

❌ 

✔️

Remote Access

Encrypt all remote connections and require Multi-Factor Authentication.

✔️

✔️

✔️

Firewalls

Block unnecessary server-to-server communications, permit only essential inbound traffic, and separate servers from end user networks.

✔️

✔️

✔️

Web Application

Protect servers hosting web application with a Web Application Firewall.

✔️

✔️

✔️

Scanning

Conduct regular security scans and centralize the reporting process.

✔️

✔️

✔️

Patching

Follow a managed patching schedule for operating system and software. Automate patching where possible.

✔️

✔️

✔️

Logging

Record and forward application, system, and security events to a centralized log management system.

❌ 

✔️

✔️

Data Backups

Regularly back up important data securely.

❌ 

✔️

✔️

Reporting Incidents

Report lost or stolen data and any suspicious cyber activity.

✔️

✔️

✔️

Data Destruction

Securely dispose of data and hardware.

✔️

✔️

✔️







 



 

 

 

## SaaS

Software as a Service, provides software applications over the internet, accessed through a web browser.

[**Use this How To Guide for additional details**](https://harvard.service-now.com/ithelp?id=kb_article&sys_id=ce160206474c66941469f46b416d4375) to apply the Minimum Standards (HarvardKey required).

 

 

SortRequirementWhat to do -Levels 1&2Level 3Level 4Asset Inventory

Maintain a comprehensive inventory of applications using a centralized system.

✔️

✔️

✔️

Passwords

Create strong, unique passwords. Use Multi-Factor Authentication where possible.

✔️

✔️

✔️

Authentication

Require Multi-Factor Authentication. Integrate with Central Authentication Service where possible.

✔️

✔️

✔️

Account Permissions

Configure for least privilege. Use group policy. Integrate with Central Authorization Service where possible.

✔️

✔️

✔️

Default Accounts

Reset initial passwords, disable or render root/admin unusable.

✔️

✔️

✔️

Configuration

Follow vendor-recommended best practices.

✔️

✔️

✔️

File Permissions

Disable “public” permissions. 

✔️

✔️

✔️

Encryption in Transit

Use secure transfer protocols or approved collaboration tools when sharing data with vendors.

✔️

✔️

✔️

Logging

Record and forward application, system, and security events to a centralized log management system.

n/a

❌

✔️

Contracts

Consult with a university procurement team and include all necessary clauses.

✔️

✔️

✔️

Risk Assessments

Request a risk assessment before signing any contract.

❌ 

❌ 

✔️

Reporting Incidents

Report lost or stolen data and any suspicious cyber activity.

✔️

✔️

✔️

Data Destruction

Confirm data destruction timeline at contract expiration.

❌ 

✔️

✔️







 



 

 

 

## IaaS

Infrastructure as a Service, control plane (management plane), provides resources like virtual servers, storage space, and networking over the internet.

[**Use this How To Guide for additional details**](https://harvard.service-now.com/ithelp?id=kb_article&sys_id=ce160206474c66941469f46b416d4375) to apply the Minimum Standards (HarvardKey required).

 

 

SortRequirementWhat to do -Levels 1&2Level 3Level 4Asset Inventory

Maintain a comprehensive inventory of resources using a centralized system.

n/a

✔️

✔️

Apply Updates

Ensure that all systems and software are up to date.

n/a

✔️

✔️

Passwords

Create strong, unique passwords. Use Multi-Factor Authentication where possible.

n/a

✔️

✔️

Authentication

Require Multi-Factor Authentication. Integrate with Central Authentication Service where possible.

n/a

✔️

✔️

Account Permissions

Configure for least privilege. Use group policy. Integrate with Central Authorization Service where possible.

n/a

✔️

✔️

Default Accounts

Reset initial passwords, disable or render root/admin unusable. Restrict API access.

n/a

✔️

✔️

Configuration

Apply standardized infrastructure as code to provision resources. Configure cloud monitoring, detection and compliance management solutions.

n/a

✔️

✔️

Encryption in Transit

Use current encryption protocols for data in transit.

n/a

✔️

✔️

Network Access

Use private IP addresses and restrict outbound traffic to necessary functions.

n/a

❌ 

✔️

Firewalls

Permit only essential inbound and outbound traffic.

n/a

✔️

✔️

DDoS Prevention

Activate protection against DDoS attacks.

n/a

❌ 

✔️

Logging

Record and forward application, system, and security events to a centralized log management system.

n/a

❌ 

✔️

Scanning

Conduct regular security scans and centralize the reporting process.

n/a

✔️

✔️

Data Storage

Limit data storage to specific U.S. based regional locations.

n/a

✔️

✔️

Data Backups

Regularly back up important data, including infrastructure configurations, to a secure location.

n/a

✔️

✔️

Contracts

Consult with a university procurement team and include all necessary clauses.

n/a

✔️

✔️

Risk Assessments

Request a risk assessment before signing any contract.

n/a

❌ 

✔️

Reporting Incidents

Report lost or stolen data and any suspicious cyber activity.

n/a

✔️

✔️







 



 

 

 

 

 

  [### Privacy Insight

 ](/privacy-principles)At Harvard, we are dedicated to safeguarding personal data. Securing assets is an important step but not all that is required. Certain information, including health and financial data, may require additional steps to comply with a law and/or regulation beyond securing an asset. For more information, reference the Privacy Principles guide and training.