© 2009 President and Fellows of Harvard College.
Systems that might be targets of special interest to hackers because of the information they contain or the resources they control need special protections. This category includes systems containing high-risk confidential information and building management, control and access systems as well as systems containing valuable research data.
All such high risk systems and those containing HRCI must be on private address space and locally firewalled. Annual vulnerability testing must be done on all high risk servers and those containing HRCI.
Many computers at Harvard contain very sensitive or valuable information that might not fit the definition of high-risk information, potentially valuable research results for example. Other computers are used to control the access to facilities or to control important resources such as electrical power distribution or building environmental systems. Such systems, as well as systems that are used to store high-risk confidential information, need to be very well protected if they are to be connected to the network. Specific guidelines for building systems can be found here http://isites.harvard.edu/k49729 [1]
Note: Access to this information is restricted via HUID/PIN registration and approval by the site administrator. Sections of relevance : 1) C-CURE Physical Access Control Systems : IT Best Practices and 2) Facilities IP based systems : IT security considerations, best practices and resources
Such systems should only be connected to the network if the is a business requirement and physical or virtual systems should be dedicated to a specific purpose rather than being shared by multiple applications.
In those cases where connection to the network is a business requirement target systems should be physically secure and connected to special network segments that are dedicated to such systems. User computers should not be connected to such special network segments. The network segments should use private addressing and be protected by firewalls. The firewalls should block all unneeded inbound and outbound traffic and only enable administrative access from those computers that are used by the system administrators. All administrative access to such systems should be logged, logs should also be maintained of the activities of administrative users on the systems. Operators of such systems should also consider the use of multi-factor authentication for administrative access. All high risk systems and those containing HRCI must undergo vulnerability testing at least annually. Vulnerabilities which could be exploited to produce a security breach that are discovered by such testing must be promptly remediated or the system must be disconnected from the network until they are.
Physical Access Control Systems and IP based Facilities Systems [1]
Access to this information is restricted via HUID/PIN registration and approval by the site administrator. Sections of relevance include 1) C-CURE Physical Access Control Systems : IT Best Practices and 2) Facilities IP based systems : IT security considerations, best practices and resources
Links:
[1] http://isites.harvard.edu/k49729