# System or Service Custodian Responsibilities ![person pointing to a data map on white board](/sites/g/files/omnuum12036/files/styles/hwp_1_1__360x360_scale/public/2026-05/systemcustrole.jpeg?itok=pLdlncWz) ## System or Service Custodian If you are in control of or responsible for the operation, maintenance, or vendor management of a system or service processing University Data, you are a System or Service Custodian. Custodian and other terms used on this page are defined in the University Information Security Policy. Where a system or service is not managed by a Harvard IT organization, the individual implementing, procuring, or operating the system or service is considered the Custodian. Every system and service must have at least one Custodian. Custodians are also Community Members and must [meet all Community Member responsibilities](https://privsec.harvard.edu/community-members-responsibilities) and requirements. In addition, to fulfill their responsibilities under the University Information Security Policy, Custodians must adhere to the requirements in this document for the systems and services they manage. Because Harvard’s technology environment includes a wide range of systems and services, requirements are determined based on system or service type and risk classification. Custodians must ensure that each system or service is appropriately classified in accordance with the [University Risk Classifications](https://privsec.harvard.edu/classify-risk) and that all applicable requirements are implemented and periodically reviewed. Custodians should work with the business owner and/or PrivSec to determine or validate the appropriate risk classification as needed. System and Service Types: - Endpoint (including laptops, desktops, and mobile devices) - Server - Application - Cloud Service (SaaS) - Cloud Infrastructure IaaS/PaaS - Network Infrastructure - Vendor-managed or contracted service If you are unsure which requirements are applicable to your system or service, contact your School PrivSec Officer or PrivSec for guidance. To support the requirements, the University may publish security standards that specify technical and operational expectations. Where such standards exist, applicable systems and processes must comply with them. Current standards are available on the PrivSec website. Open all sections Close all sections ### Managing and securing assets and configurations expand\_more SortUniversity Risk Classification Level(s) SortRequirement1 & 234 & 5Maintain an accurate, up-to-date inventory of all systems, applications, and network devices. Record relevant details such as location, function, risk level, and data classification All All Disable unnecessary services, protocols, and ports All All All Enforce screen lock and/or session logout after a defined inactivity period All All All Deploy university standard Endpoint Detection and Response tool on University Systems or Devices, where the tool is supported Endpoint, Server Endpoint, Server Endpoint, Server Manage default accounts. Disable accounts or change default passwords All All All Use supported software and hardware; retire or isolate assets All All All Apply security updates within timeframes defined by University standards, including firmware and third-party components Endpoint, Server, Application, Network Endpoint, Server, Application, Network Endpoint, Server, Application, Network Conduct regular vulnerability scans Server Server Server Remediate vulnerabilities within timeframes defined by [University standards](https://www.huit.harvard.edu/university-wide-vulnerability-management-standards) Endpoint, Server, Application, Network Endpoint, Server, Application, Network Endpoint, Server, Application, Network ### Controlling and protecting access and identity expand\_more SortUniversity Risk Classification Level(s) SortRequirement1 & 234 & 5Use accounts in Harvard-managed authentication systems (e.g., HarvardKey) where technically feasible All All All Use dedicated administrator accounts and limit administrative privileges to only those necessary Server, Application, Network, SaaS Server, Application, Network, SaaS Server, Application, Network, SaaS Implement role-based access control where available, including authorization filters for HarvardKey integrated systems Server, Application, Network, SaaS Server, Application, Network, SaaS Server, Application, Network, SaaS Require multi-factor authentication for administrative access Server, Application, Network, SaaS, IaaS/PaaS Server, Application, Network, SaaS, IaaS/PaaS Server, Application, Network, SaaS, IaaS/PaaS Periodically (no less than annually) change, reset, or update authentication secrets (passwords, keys, credentials, and other authentication tokens) for high-level administrative or service accounts Server, Application, Network, SaaS Server, Application, Network, SaaS Server, Application, Network, SaaS Implement secrets management when supported by the system or application infrastructure. If not supported, document alternative controls used to ensure authentication secrets, such as passwords and API keys, are encrypted in storage and transit, are not hardcoded, and use is audited Server, Application, Network, SaaS Implement a process or control to manage authorization on role change or removal Server, Application, Network Server, Application, Network Server, Application, Network SortThe following requirements are handled by HarvardKey when that is the authentication method. The Custodian is responsible for them when using local accounts or other authentication methods. SortRequirement1 & 234 & 5Implement controls to restrict password guessing if they are available All All All Use unique passwords All All All Use unique accounts All All All Require multi-factor authentication for remote authentications All All All Establish and maintain an inventory of accounts Server, Application, Network Server, Application, Network Server, Application, Network Implement a process to identify and disable or removed dormant accounts Server, Application, Network Server, Application, Network Server, Application, Network ### Protecting University Data expand\_more SortUniversity Risk Classification Level(s) SortRequirement1 & 234 & 5Encrypt data at rest Endpoint Endpoint, Server, Application Server, Application Encrypt data in transit All All All Securely destroy data when decommissioning or repurposing systems Endpoint, Server Endpoint, Server Endpoint, Server Limit data retention consistent with the General Records Schedule, legal requirements, and business need All All All ### Maintaining backup, recovery, and continuity capabilities expand\_more SortUniversity Risk Classification Level(s) SortRequirement1 & 234 & 5Backup systems and data consistent with business continuity requirements Endpoint, Server Endpoint, Server Validate data recovery capabilities periodically to ensure data can be restored within required timeframes Server ### Monitoring, reviewing, and detecting information security related activity expand\_more SortUniversity Risk Classification Level(s) SortRequirement1 & 234 & 5Collect and retain relevant application, audit, security and system logs necessary to support security monitoring, incident response, and compliance requirements. Retain per the General Records Schedule All All All Log all access to high-risk data All Send relevant logs to, and maintain them in, a log collection system separate from the source system Server, Application Server, Application ### Securing networks and infrastructure expand\_more SortUniversity Risk Classification Level(s) SortRequirement1 & 234 & 5Implement and manage firewall Endpoint, Server Endpoint, Server Endpoint, Server Restrict outbound network traffic Server Protect web applications with a Web Application Firewall if available Application Application Use private IP addresses Server, IaaS, Network Infrastructure Protect against denial of service (e.g., DDoS) attacks Application, SaaS Restrict physical access to systems, including server rooms, network closets, and racks Server, Infrastructure Server, Infrastructure ### Managing vendors and cloud services responsibly expand\_more SortUniversity Risk Classification Level(s) SortRequirement1 & 234 & 5Consult with a university procurement team and include necessary clauses in contracts SaaS, IaaS SaaS, IaaS SaaS, IaaS Complete a risk assessment before signing a contract SaaS, IaaS SaaS, IaaS Confirm data destruction at contract expiration SaaS, IaaS SaaS, IaaS SaaS, IaaS ### Preparing for and responding to privacy and security incidents expand\_more SortUniversity Risk Classification Level(s) SortRequirement1 & 234 & 5Support and participate in incident response activities All All All Remediate significant issues identified in incident response or penetration tests promptly All All All ### Exceptions All exceptions to the above requirements must be formally requested, and must be reviewed and approved by, the Chief Information Security and Data Privacy Officer (CISDPO) or their designee. Additional approvals may be required based on the nature of the exception. ### Support and Governance If you are unsure of the identity of the relevant System or Service Custodian or have questions about these responsibilities, please contact your School PrivSec Officer or PrivSec. Material changes to these requirements will be subject to review and approval by the Information Security Advisory Council (ISAC). ## Related Resources Use these resources to take the next step, find University guidance, or explore trusted external references. ### University Resources Official university guidance, approved tools, and support resources. - [University Information Security Policy](/information-security-policy-archived "Information Security Policy - Archived") - [University Risk Classification](/classify-risk "Classify Risk") - [Minimum Standards](/apply-standards) - Acceptable Use Policy (pending) ### Industry Resources Trusted external cybersecurity and privacy guidance. - [CISA Resources & Toolkits](https://www.cisa.gov/resources-tools/all-resources-tools) - [SANS Institute Free Community Resources & Internet Storm Center](https://www.sans.org/security-resources) - [PortSwigger Web Security Academy](https://portswigger.net/web-security) ### Related Topics Explore related privacy and security best practices. - [Application & Web Security](/best-practices-application-web-security "Best Practices - Application & Web Security") - [Cloud Platform & SaaS Integrations](/best-practices-cloud-platforms-saas-integrations "Best Practices - Cloud Platforms & SaaS Integrations") - [Generative AI](/best-practices-managing-generative-ai-systems "Best Practices: Managing Generative AI Systems")