Under Harvard's compliance program, Schools and service organizations within central administration are responsible for complying with the Enterprise Security Policy. The School CIOs and the Central Admin IT managers annually review and report on their levels of compliance with Harvard's Enterprise Information Security Policy to the University CIO.

As part of its scheduled review of Harvard’s School information technology areas, Harvard Risk Management and Internal Audit (RMAS) periodically review each School’s compliance and related education and remediation activities. If other efforts fail Harvard community members may anonymously report areas of concern or non-compliance. (See Anonymous Reporting.)