
Just as important as knowing what minimum security resources are needed, is a sense of where exceptions are important, and an inventory of waivers to the standards with the reasons the waivers were given. This means updating the standards as the mix of resources change. As a practical matter, it is important to manage those changes with as much automation as possible to maximize both effectiveness and efficiency of IT operations. IT environments undergo continuous change. Table 2 - Security components with HUIT and NIST Compliance NIST Cyber-Security Framework (CSF) Objective HUIT Information Security Policy Objective The overarching goal of this work is to satisfy Harvard’s HUIT Information Security Policy Objectives and NIST Cyber-Security Framework (CSF) Objectives. The scope of this standard extends to all server instances that are within the HUIT domains on a fully-managed basis, or are hosted within HUIT on behalf of customers that administer the server instances. HUIT requires that all HUIT-hosted/managed server instances conform to these specifications beginning July, 2020. Other Harvard organizations SHOULD follow HUIT’s lead by conforming to these specifications.HUIT teams MUST respond to, and remediate vulnerabilities and threats in coordination with their organization’s Security Teams and accordance with their organization’s security policies and SLAs.All HUIT-hosted/managed server instances MUST conform to the Server Security specifications in this document.All Harvard server instances MUST deploy CrowdStrike Falcon Host to detect intrusions.All Harvard deployed operating systems MUST be supported by the vendor.The discussions that follow will elaborate on the current standard definitions, future roadmap activities, and any known concerns about implementation. These standards are intended to provide simple guidance and effective server security. HUIT is committed to managing IT resources, on behalf of its customers, in a secure way. Table 1 - Security Capabilities and Products System and S-MVP service health is monitored Malware is detected, logged, and remediated Intrusions are detected and appropriate action(s) are taken As a result, HUIT believes there are seven characteristics of a well-managed server environment, which taken together represent the minimum standard for HUIT server security:

Harvard’s HUIT organization has made a deliberate effort to align with recommendations from multiple organizations such as NIST, OWASP, SANS, and other universities. This results in passive damage such as exfiltration of intellectual property, or active damage such as data ransoming or destruction. We live in a world where IT resources such as server instances are aggressively targeted by individuals, organizations, and national actors.
