Apply Standards

Apply Standards

The Minimum Standards are a set of fundamental cybersecurity criteria designed to ensure a consistent baseline is applied across University assets. These standards help students, faculty, and staff protect University assets, safeguard data integrity, prevent unauthorized access, and comply with both internal policy and external regulatory obligations.

  • Researchers should visit the OVPR’s Research Data Management site for additional policy considerations.
  • Contractual or legal requirements may override these standards.
  • Institutional policy or system limitations may override these standards.

University Minimum Standards

  • Use the University Risk Classification schema to determine which Minimum Standard should be applied.
  • Only high level requirements are represented in the tables below. Use the linked guides to apply the Minimum Standards.
  • Level 5 (Federal Requirements): Reserved for exceptional cases. If you think your data meets Level 5, contact your School Privacy & Security Officer for guidance.
Classify Risk

Personal Devices

Computers, laptops and mobile devices. Purchased and maintained by a community member.

Use this How To Guide for additional details to apply the Minimum Standards (HarvardKey required).

RequirementWhat to do -Levels 1&2Level 3Level 4*
Network Registration
Register devices before connecting to the University network.
✔️
✔️
n/a
Passwords
Create strong, unique passwords. Use Multi-Factor Authentication where possible.
✔️
✔️
n/a
Account Permissions
Limit access to only those who need it.
✔️
✔️
n/a
Configuration
Configure devices and software securely including: updating, encryption and authentication.
✔️
✔️
n/a
Reporting Incidents
Report lost or stolen data, devices and any suspicious cyber activity.
✔️
✔️
n/a
Data Destruction
Securely dispose of data and devices.
✔️
✔️
n/a

*Level 4 data should not be stored on personal devices. Use University approved services or secure external media.

University Devices

Computers, laptops and mobile devices. Purchased and maintained by the University (purchased through University Finance or research grants).

Use this How To Guide for additional details to apply the Minimum Standards (HarvardKey required).

RequirementWhat to do -Levels 1&2Level 3Level 4*
Network Registration
Register the device before connecting to the University network.
✔️
✔️
n/a
Asset Inventory
Maintain a comprehensive inventory of devices using a centralized system.
✔️
✔️
n/a
Apply Updates
Ensure that all systems and software are up to date.
✔️
✔️
n/a
Passwords
Create strong, unique passwords. Use Multi-Factor Authentication where possible.
✔️
✔️
n/a
Authentication
Require Multi-Factor Authentication. Integrate with Central Authentication Service where possible.
✔️
✔️
n/a
Account Permissions
Configure for least privilege. Use group policy. Integrate with Central Authorization Service where possible.
✔️
✔️
n/a
Default Accounts
Reset initial passwords, disable or render root/admin unusable.
✔️
✔️
n/a
Configuration
Apply standardized management tools on devices for configuration, including Centralized Managed Detection and Response.
✔️
✔️
n/a
File Permissions
Disable “public” permissions. 
✔️
✔️
n/a
Encryption at Rest
Enable encryption features to secure data stored on devices.
✔️
✔️
n/a
Encryption in Transit
Use current encryption protocols for data in transit.
✔️
✔️
n/a
Patching
Follow a managed patching schedule for operating system and software. Automate patching where possible.
✔️
✔️
n/a
Data Backups
Regularly back up documents to a secure location.
✔️
✔️
n/a
Reporting Incidents
Report lost or stolen data, devices and any suspicious cyber activity.
✔️
✔️
n/a
Data Destruction
Securely dispose of data and devices.
✔️
✔️
n/a

*Level 4 data should not be stored on University devices. Use University approved services or secure external media.

Servers

On premises or cloud based computing resource used for processing, storage, and application support.

Use this How To Guide for additional details to apply the Minimum Standards (HarvardKey required).

RequirementWhat to do -Levels 1&2Level 3Level 4
Asset Inventory
Maintain a comprehensive inventory of servers using a centralized system.
✔️
✔️
✔️
Apply Updates
Ensure that all systems and software are up to date.
✔️
✔️
✔️
Passwords
Create strong, unique passwords. Use Multi-Factor Authentication where possible.
✔️
✔️
✔️
Authentication
Require Multi-Factor Authentication. Integrate with Central Authentication Service where possible.
✔️
✔️
✔️
Account Permissions
Configure for least privilege. Use group policy. Integrate with Central Authorization Service where possible.
✔️
✔️
✔️
Default Accounts
Reset initial passwords, disable or render root/admin unusable.
✔️
✔️
✔️
Configuration
Apply standardized management protocols across operating systems, including Centralized Managed Detection and Response.
✔️
✔️
✔️
File Permissions
Disable “public” permissions.
✔️
✔️
✔️
Encryption at Rest
Apply tools to encrypt data stored on disk.
❌ 
❌ 
✔️
Encryption in Transit
Use current encryption protocols for data in transit.
✔️
✔️
✔️
Network Access
Use private IP addresses and restrict outbound traffic to necessary functions.
❌ 
❌ 
✔️
Remote Access
Encrypt all remote connections and require Multi-Factor Authentication.
✔️
✔️
✔️
Firewalls
Block unnecessary server-to-server communications, permit only essential inbound traffic, and separate servers from end user networks.
✔️
✔️
✔️
Web Application
Protect servers hosting web application with a Web Application Firewall.
✔️
✔️
✔️
Scanning
Conduct regular security scans and centralize the reporting process.
✔️
✔️
✔️
Patching
Follow a managed patching schedule for operating system and software. Automate patching where possible.
✔️
✔️
✔️
Logging
Record and forward application, system, and security events to a centralized log management system.
❌ 
✔️
✔️
Data Backups
Regularly back up important data securely.
❌ 
✔️
✔️
Reporting Incidents
Report lost or stolen data and any suspicious cyber activity.
✔️
✔️
✔️
Data Destruction
Securely dispose of data and hardware.
✔️
✔️
✔️

SaaS

Software as a Service, provides software applications over the internet, accessed through a web browser.

Use this How To Guide for additional details to apply the Minimum Standards (HarvardKey required).

RequirementWhat to do -Levels 1&2Level 3Level 4
Asset Inventory
Maintain a comprehensive inventory of applications using a centralized system.
✔️
✔️
✔️
Passwords
Create strong, unique passwords. Use Multi-Factor Authentication where possible.
✔️
✔️
✔️
Authentication
Require Multi-Factor Authentication. Integrate with Central Authentication Service where possible.
✔️
✔️
✔️
Account Permissions
Configure for least privilege. Use group policy. Integrate with Central Authorization Service where possible.
✔️
✔️
✔️
Default Accounts
Reset initial passwords, disable or render root/admin unusable.
✔️
✔️
✔️
Configuration
Follow vendor-recommended best practices.
✔️
✔️
✔️
File Permissions
Disable “public” permissions. 
✔️
✔️
✔️
Encryption in Transit
Use secure transfer protocols or approved collaboration tools when sharing data with vendors.
✔️
✔️
✔️
Logging
Record and forward application, system, and security events to a centralized log management system.
n/a
✔️
Contracts
Consult with a university procurement team and include all necessary clauses.
✔️
✔️
✔️
Risk Assessments
Request a risk assessment before signing any contract.
❌ 
❌ 
✔️
Reporting Incidents
Report lost or stolen data and any suspicious cyber activity.
✔️
✔️
✔️
Data Destruction
Confirm data destruction timeline at contract expiration.
❌ 
✔️
✔️

IaaS

Infrastructure as a Service, control plane (management plane), provides resources like virtual servers, storage space, and networking over the internet.

Use this How To Guide for additional details to apply the Minimum Standards (HarvardKey required).

RequirementWhat to do -Levels 1&2Level 3Level 4
Asset Inventory
Maintain a comprehensive inventory of resources using a centralized system.
n/a
✔️
✔️
Apply Updates
Ensure that all systems and software are up to date.
n/a
✔️
✔️
Passwords
Create strong, unique passwords. Use Multi-Factor Authentication where possible.
n/a
✔️
✔️
Authentication
Require Multi-Factor Authentication. Integrate with Central Authentication Service where possible.
n/a
✔️
✔️
Account Permissions
Configure for least privilege. Use group policy. Integrate with Central Authorization Service where possible.
n/a
✔️
✔️
Default Accounts
Reset initial passwords, disable or render root/admin unusable. Restrict API access.
n/a
✔️
✔️
Configuration
Apply standardized infrastructure as code to provision resources. Configure cloud monitoring, detection and compliance management solutions.
n/a
✔️
✔️
Encryption in Transit
Use current encryption protocols for data in transit.
n/a
✔️
✔️
Network Access
Use private IP addresses and restrict outbound traffic to necessary functions.
n/a
❌ 
✔️
Firewalls
Permit only essential inbound and outbound traffic.
n/a
✔️
✔️
DDoS Prevention
Activate protection against DDoS attacks.
n/a
❌ 
✔️
Logging
Record and forward application, system, and security events to a centralized log management system.
n/a
❌ 
✔️
Scanning
Conduct regular security scans and centralize the reporting process.
n/a
✔️
✔️
Data Storage
Limit data storage to specific U.S. based regional locations.
n/a
✔️
✔️
Data Backups
Regularly back up important data, including infrastructure configurations, to a secure location.
n/a
✔️
✔️
Contracts
Consult with a university procurement team and include all necessary clauses.
n/a
✔️
✔️
Risk Assessments
Request a risk assessment before signing any contract.
n/a
❌ 
✔️
Reporting Incidents
Report lost or stolen data and any suspicious cyber activity.
n/a
✔️
✔️

Privacy Insight

At Harvard, we are dedicated to safeguarding personal data. Securing assets is an important step but not all that is required. Certain information, including health and financial data, may require additional steps to comply with a law and/or regulation beyond securing an asset. For more information, reference the Privacy Principles guide and training.