Policy Rationale

The world of cyber security has evolved to the point to which there now exists a shared responsibility with regard to protections and controls. It is possible for a single individual to adversely impact a larger number of individuals. Due to the impact that each individual has on the rest of the collective community, Harvard Medical School requires all end point systems connecting to non-public HMS networks to conform to a base line security posture by installing security software that protects against the most common attacks which leverage end point systems in order to: steal credentials, obtain unauthorized access, install malicious software (including Ransomware), or otherwise disrupt the normal operations of Harvard Medical School and its mission.

Policy Statements

  1. All End Point Systems that are connected to a non-public HMS wireless or wired network must have the HMS Cyber Essentials security software bundle installed.
  2. All End Points shall conform to the HMS IT standard naming convention. Hostnames or systems names are separate from DNS names, which may be customized based on need.
  3. Systems, such as computers used for collecting instrument data, that cannot conform to this policy without undue impact on the system’s ability to operate as expected shall have alternative compensating controls (E.G., hosted on separate network, whitelisting software, etc.).


Cyber Essentials: A bundle of software applications determined by HMS IT to be essential as a minimum baseline for security and interoperability. The Cyber Essentials bundle includes, but may not be limited to: Systems Management Software, Approved Anti-Virus Software, Enterprise Backup Software, and some form of next-generation end point protection software. The specific composition of the Cyber Essentials bundle may vary over time; its current components are defined in Exhibit 1.

End Point or End Point System: Desktop or laptop systems used by individuals, running the Windows, OS X, or Linux systems. For the purposes of the policy, mobile devices, such as tablets and mobile smart phones, are not considered to be in scope.

Non-public HMS Network: A network that is designated for private HMS use, or one that is not intended for free and unfettered use. Such networks include, but are not limited to, the HMS Private wireless network, and all wired networks that have been provisioned on the HMS campus, HMS occupied buildings, and other locations, such as remote sites.

Systems Management Software: Software designed to manage end point systems by gathering system-specific data and provide the central ability to deploy and manage important software and updates, and policy compliance measures, such as encryption, password requirements, etc.

Review Period

The Cyber Essentials Policy will be reviewed and updated – as needed – on an annual basis