Information Technology Services - nav image

6.0 Working With Vendors / Contracts

Harvard Enterprise Security Policy:

Policy Excerpt
Under Massachusetts law Harvard is responsible for any improper handling of high risk confidential information by any vendor that collects, processes, or maintains the information for Harvard.
Harvard vendors dealing with Harvard confidential information, whether or not they obtain the data directly from Harvard, must have a written contract covering their services including the proper contract riders requiring the protection of Harvard’s information. The security design, policies, and procedures of vendors who will receive, collect, store or process high-risk confidential information must be reviewed by the Harvard Information Security Officer and/or Harvard Risk Management and Audit Services.
People or groups at Harvard who wish to contract with a vendor to collect or work with high-risk confidential information must also obtain prior approval from the School and/or University CIO.

HLS Policy:

HLS requires any vendor or application to go through a security review process in order to determine if a contract rider is needed. HLS ITS and Harvard reserve the right to not provided data to any department or vendor who can not meet approved security requirements and contractual agreements.

Approved Solution:

Contact Security( for assistance with the security review and contract process.

Last modified: November 06, 2008

© 2015 The President and Fellows of Harvard College. All rights reserved.