The individual responsible for negotiating the contract with a new vendor providing a service that involves protected Harvard confidential information should review and implement the following recommendations prior to signing a contract.

1.   Inform the UISO of the pending contract.

2.   Obtain relevant sample contract clauses pertaining to "Protecting Harvard Confidential information" and add to the draft contract that is under discussion.  Work with the OGC if the vendor wants changes to the clauses.

3.    Arrange for an in-person meeting with the UISO and the person or group responsible for the vendor's network, data and system security to review the vendor's intended approach to protecting the Harvard data. The UISO will determine if a Risk Management (RMAS) audit is required and will inform the vendor and the department contact accordingly.

4.   If required, the UISO facilitates the information security audit with RMAS and will inform the department contact of any changes that are required based on the outcome of the audit. This may necessitate a change or addition to the contract with the vendor.

5.   The UISO will periodically review progress made toward compliance; in cases of unfavorable outcome, the UISO may recommend that the final contract not be signed or be significantly amended.