Develop and promulgate a policy addressing School requirements for acceptable remote computer access to confidential information.
Sample requirements for any computer to be used to access confidential information:
- All software and operating system patches must be up-to-date
- Anti-virus/anti-malware must be installed, configured for real-time detection, and up-to-date
- The system must be separated from the Internet using a network firewall configured to block all unwanted inbound traffic
- A host-based firewall must be installed, running, and configured to block all unsolicited traffic
- Laptops and other portable systems must be encrypted
- Accounts with administrative privileges must use strong passwords
- Web browsers must be configured to not store passwords
- All users of the system must have individual accounts configured with non-administrative access. Harvard users must configure their accounts with a strong password.
Sample additional recommendations for computers used to access confidential information:
- Use application whitelisting software
- Use web browsers that limit script execution
- Use host-based intrusion detection software
- Encrypt desktop systems
- Use virtualization software and a purpose-built dedicated virtual machine that includes the controls listed here is only used for this purpose
Additionally, require users to annually attest in writing that they a) require remote access to confidential information; b) understand and implement the requirements on all systems used to access confidential information.