Minimum Security Responsibilities
Home > Best Practices & Standards > Minimum Security Responsibilities
Minimum Security Responsibilities
Individuals
Security is everyone’s responsibility. Follow this guide to make sure you’re doing your part when working with information at Harvard.
Use securely configured devices for Harvard work
Harvard managed devices are configured and maintained with security in mind. If you are managing a computer or phone yourself, follow our minimum security configuration.
Use Harvard services for Harvard work
Harvard provides many services with security controls and contracts in place. Need something else? Follow our guidance for vendor and service onboarding.
Report security concerns
If you receive a suspicious message, notice data where it doesn’t belong, or believe you account has been compromised, contact us immediately.
Complete applicable training
Stay informed about the right ways to work, learn and research securely.
Classify and manage Harvard data appropriately
Understanding the security level of the data you work with is crucial to protecting it.
Protect accounts with strong passwords and MFA
Use strong, unique passwords for every account. A password manager makes this easy. Enable MFA to stay secure even if a password is stolen.
Minimum Security Responsibilities
Computers and Mobile Devices
These are the minimum security requirements that must be followed when using a device to connect to Harvard’s resources or doing work for the University.
Require a password or similar control for device access
Require a form of authentication, like a pin, password, or thumbprint, to unlock your device.
Apply security updates
Security patches keep your device protected against the latest exploits. Updates should be configured to download automatically.
Install and configure security software
Anti-virus or anti-malware software prevents malicious code from running on the protected system.
Encrypt device storage
When a device’s storage is encrypted, a stolen device will not necessarily mean stolen data.
Configure devices to lock when not in use
Devices should require re-authentication after a period of inactivity.
Discontinue use of end-of-life products
If a product is no longer supported by its manufacturer, it should be replaced, upgraded, or removed.
Backup data securely
Keep backups of Harvard data on approved storage services or encrypted removable storage.
Minimum Security Responsibilities
Vendor and Service Onboarding
Harvard provides many services to collect information, store it and collaborate on it with others. If you need something more, review these measures to confirm your new service meets Harvard data safety requirements.
Classify the security level of the data you will use
Data classification is the first step to determining the controls a vendor will need to meet Harvard’s security requirements
Initiate vendor risk assessment as needed
All vendors that will manage Level 4 data must undergo a risk assessment. Level 3 and below are eligible for a review, based on your judgement and risk tolerance.
Request contract review from Strategic Procurement
Strategic Procurement negotiates contracts with new vendors to meet Harvard’s legal requirements
Register with IAM for HarvardKey integration
Where possible, use HarvardKey as the primary method of accessing your vendor’s services.
Understand your vendor’s shared responsibility model
Confirm with your vendor what security tasks and controls they provide, and what is expected of you.
Think through the lifecycle of your data with privacy and security in mind
Before using a vendor service, confirm how data will be added to the system, used while in the system, and how it will be deleted or archived.