subpage_img01 subpage_img02 subpage_img03 filler
Images for the Office of the Provost - Harvard University
Home > Enterprise Security Policy > 6. Working With Vendors > 6.1 Contracts

6.1 Contracts

Policy

Harvard vendors dealing with Harvard confidential information, whether or not they obtain the data directly from Harvard, must have a written contract covering their services including the proper contract riders requiring the protection of Harvard’s information. The security design, policies, and procedures of vendors who will receive, collect, store or process high-risk confidential information must be reviewed by the Harvard Information Security Officer and/or Harvard Risk Management and Audit Services.

People or groups at Harvard who wish to contract with a vendor to collect or work with high-risk confidential information must also obtain prior approval from the School and/or University CIO.

Discussion

Any contract with a vendor who will or might obtain access to confidential or sensitive information should contain provisions obliging the vendor to protect such information. See OGC vendor contract riders for such provisions.

Each contract with a vendor that Harvard is engaging to store, process or host high-risk information should contain the provisions set out in the contract riders.

In most cases the Harvard Information Security officer or a school information security officer must review the security of any such vendor.

No additional review is required for a vendor that will be dealing with non high-risk information and is willing to agree to abide by the appropriate contract terms.

Best Practice

Use the University standard contract riders for vendor agreements involving the use or management of confidential information.

http://www.security.harvard.edu/resources/statements/contract-riders

Supported by WDS