System or Service Custodian Responsibilities
System or Service Custodian
If you are in control of or responsible for the operation, maintenance, or vendor management of a system or service processing University Data, you are a System or Service Custodian.
Custodian and other terms used on this page are defined in the University Information Security Policy.
Where a system or service is not managed by a Harvard IT organization, the individual implementing, procuring, or operating the system or service is considered the Custodian. Every system and service must have at least one Custodian.
Custodians are also Community Members and must meet all Community Member responsibilities and requirements. In addition, to fulfill their responsibilities under the University Information Security Policy, Custodians must adhere to the requirements in this document for the systems and services they manage.
Because Harvard’s technology environment includes a wide range of systems and services, requirements are determined based on system or service type and risk classification. Custodians must ensure that each system or service is appropriately classified in accordance with the University Risk Classifications and that all applicable requirements are implemented and periodically reviewed. Custodians should work with the business owner and/or PrivSec to determine or validate the appropriate risk classification as needed.
System and Service Types:
- Endpoint (including laptops, desktops, and mobile devices)
- Server
- Application
- Cloud Service (SaaS)
- Cloud Infrastructure IaaS/PaaS
- Network Infrastructure
- Vendor-managed or contracted service
If you are unsure which requirements are applicable to your system or service, contact your School PrivSec Officer or PrivSec for guidance.
To support the requirements, the University may publish security standards that specify technical and operational expectations. Where such standards exist, applicable systems and processes must comply with them. Current standards are available on the PrivSec website.
University Risk Classification Level(s) |
|---|
| Requirement | 1 & 2 | 3 | 4 & 5 |
|---|---|---|---|
Maintain an accurate, up-to-date inventory of all systems, applications, and network devices. Record relevant details such as location, function, risk level, and data classification | All | All | |
Disable unnecessary services, protocols, and ports | All | All | All |
Enforce screen lock and/or session logout after a defined inactivity period | All | All | All |
Deploy university standard Endpoint Detection and Response tool on University Systems or Devices, where the tool is supported | Endpoint, Server | Endpoint, Server | Endpoint, Server |
Manage default accounts. Disable accounts or change default passwords | All | All | All |
Use supported software and hardware; retire or isolate assets | All | All | All |
Apply security updates within timeframes defined by University standards, including firmware and third-party components | Endpoint, Server, Application, Network | Endpoint, Server, Application, Network | Endpoint, Server, Application, Network |
Conduct regular vulnerability scans | Server | Server | Server |
Remediate vulnerabilities within timeframes defined by University standards | Endpoint, Server, Application, Network | Endpoint, Server, Application, Network | Endpoint, Server, Application, Network |
University Risk Classification Level(s) |
|---|
| Requirement | 1 & 2 | 3 | 4 & 5 |
|---|---|---|---|
Use accounts in Harvard-managed authentication systems (e.g., HarvardKey) where technically feasible | All | All | All |
Use dedicated administrator accounts and limit administrative privileges to only those necessary | Server, Application, Network, SaaS | Server, Application, Network, SaaS | Server, Application, Network, SaaS |
Implement role-based access control where available, including authorization filters for HarvardKey integrated systems | Server, Application, Network, SaaS | Server, Application, Network, SaaS | Server, Application, Network, SaaS |
Require multi-factor authentication for administrative access | Server, Application, Network, SaaS, IaaS/PaaS | Server, Application, Network, SaaS, IaaS/PaaS | Server, Application, Network, SaaS, IaaS/PaaS |
Periodically (no less than annually) change, reset, or update authentication secrets (passwords, keys, credentials, and other authentication tokens) for high-level administrative or service accounts | Server, Application, Network, SaaS | Server, Application, Network, SaaS | Server, Application, Network, SaaS |
Implement secrets management when supported by the system or application infrastructure. If not supported, document alternative controls used to ensure authentication secrets, such as passwords and API keys, are encrypted in storage and transit, are not hardcoded, and use is audited | Server, Application, Network, SaaS | ||
Implement a process or control to manage authorization on role change or removal | Server, Application, Network | Server, Application, Network | Server, Application, Network |
| The following requirements are handled by HarvardKey when that is the authentication method. The Custodian is responsible for them when using local accounts or other authentication methods. |
|---|
| Requirement | 1 & 2 | 3 | 4 & 5 |
|---|---|---|---|
Implement controls to restrict password guessing if they are available | All | All | All |
Use unique passwords | All | All | All |
Use unique accounts | All | All | All |
Require multi-factor authentication for remote authentications | All | All | All |
Establish and maintain an inventory of accounts | Server, Application, Network | Server, Application, Network | Server, Application, Network |
Implement a process to identify and disable or removed dormant accounts | Server, Application, Network | Server, Application, Network | Server, Application, Network |
University Risk Classification Level(s) |
|---|
| Requirement | 1 & 2 | 3 | 4 & 5 |
|---|---|---|---|
Encrypt data at rest | Endpoint | Endpoint, Server, Application | Server, Application |
Encrypt data in transit | All | All | All |
Securely destroy data when decommissioning or repurposing systems | Endpoint, Server | Endpoint, Server | Endpoint, Server |
Limit data retention consistent with the General Records Schedule, legal requirements, and business need | All | All | All |
University Risk Classification Level(s) |
|---|
| Requirement | 1 & 2 | 3 | 4 & 5 |
|---|---|---|---|
Backup systems and data consistent with business continuity requirements | Endpoint, Server | Endpoint, Server | |
Validate data recovery capabilities periodically to ensure data can be restored within required timeframes | Server |
University Risk Classification Level(s) |
|---|
| Requirement | 1 & 2 | 3 | 4 & 5 |
|---|---|---|---|
Collect and retain relevant application, audit, security and system logs necessary to support security monitoring, incident response, and compliance requirements. Retain per the General Records Schedule | All | All | All |
Log all access to high-risk data | All | ||
Send relevant logs to, and maintain them in, a log collection system separate from the source system | Server, Application | Server, Application |
University Risk Classification Level(s) |
|---|
| Requirement | 1 & 2 | 3 | 4 & 5 |
|---|---|---|---|
Implement and manage firewall | Endpoint, Server | Endpoint, Server | Endpoint, Server |
Restrict outbound network traffic | Server | ||
Protect web applications with a Web Application Firewall if available | Application | Application | |
Use private IP addresses | Server, IaaS, Network Infrastructure | ||
Protect against denial of service (e.g., DDoS) attacks | Application, SaaS | ||
Restrict physical access to systems, including server rooms, network closets, and racks | Server, Infrastructure | Server, Infrastructure |
University Risk Classification Level(s) |
|---|
| Requirement | 1 & 2 | 3 | 4 & 5 |
|---|---|---|---|
Consult with a university procurement team and include necessary clauses in contracts | SaaS, IaaS | SaaS, IaaS | SaaS, IaaS |
Complete a risk assessment before signing a contract | SaaS, IaaS | SaaS, IaaS | |
Confirm data destruction at contract expiration | SaaS, IaaS | SaaS, IaaS | SaaS, IaaS |
University Risk Classification Level(s) |
|---|
| Requirement | 1 & 2 | 3 | 4 & 5 |
|---|---|---|---|
Support and participate in incident response activities | All | All | All |
Remediate significant issues identified in incident response or penetration tests promptly | All | All | All |
Exceptions
All exceptions to the above requirements must be formally requested, and must be reviewed and approved by, the Chief Information Security and Data Privacy Officer (CISDPO) or their designee. Additional approvals may be required based on the nature of the exception.
Support and Governance
If you are unsure of the identity of the relevant System or Service Custodian or have questions about these responsibilities, please contact your School PrivSec Officer or PrivSec. Material changes to these requirements will be subject to review and approval by the Information Security Advisory Council (ISAC).
Related Resources
Use these resources to take the next step, find University guidance, or explore trusted external references.
University Resources
Official university guidance, approved tools, and support resources.
- University Information Security Policy
- University Risk Classification
- Minimum Standards
- Acceptable Use Policy (pending)
Industry Resources
Trusted external cybersecurity and privacy guidance.
Related Topics
Explore related privacy and security best practices.