Information Technology Services - nav image

2.4 Identifying Users with Access to Confidential Information

Harvard Enterprise Security Policy:

Policy Excerpt
System owners must be able to identify individual users of systems that contain or access confidential information. Passwords used to access such systems must meet current industry standards for length and complexity. User passwords must not be shared and must not be retrievable by anyone, including the system operator.
The Harvard PIN system or LDAP Server are to be used for University applications that access confidential information unless a specific exception is made by the University CIO.

HLS Policy:

Business owners of systems have been identified and a bi-annual review of application access will happen on a rolling basis. If you have a system with High Risk Confidential Information and you are not currently working with HLS ITS on this process please contact Security(

HSL ITS has implemented the following password policy: A password must include three of the following 4 elements; Alpha character lower case, Alpha character upper case, Number or Symbol ( such as @, #, $, %, ^, &, *)

See Section 2.7 for additional information regarding identifying individual users of a system and Section 2.10 regarding Confidentiality Agreements.

Frequently Asked Questions:

Q: Is it acceptable to share my password?
A: You should never share your password with anyone. This includes co-workers and family members.

Q: What constitutes a good password?
A: HLS ITS prefers the term ‘passphrase’. Please see Password FAQ for more information regarding the HLS passphrase policy and passphrase requirements.

Last modified: November 06, 2008

© 2015 The President and Fellows of Harvard College. All rights reserved.