shield Harvard University
Harvard Shield
About                                
Enterprise Security Policy
Information Security & Privacy
Human Subjects
For Students
For Employees
For Registrars
Harvard Confidential Info
Working with Vendors
Protecting Conf. Info
For Existing Contracts
For New Contracts
Accepting Credit Cards
Federal and Regulatory
Glossary of Terms
FAQ's       
Reporting Security Incidents
Reporting Violations
Privacy Policy
Security Presentations
Search the Site
Working with Vendors :: Protecting Confidential Information
 
 

1. Policy Statement

        Harvard vendors dealing with Harvard confidential information must have a written contract covering their services.  Such contracts must include specific clauses requiring the vendor to protect the data.  The security design, policies and procedures of some vendors must be reviewed by the Harvard Information Security Officer and/or Harvard Risk Management and Audit Services.

2. Scope of Policy Applicability

        This requirement applies to all Harvard vendors who deal with personally identifiable confidential information obtained from Harvard or who obtain such data from Harvard affiliated people as well as all vendors who deal with other confidential information.

3. Definitions

confidential information

personally identifiable data

4. Specific Policies

4.1 All contracts covered by this policy must have contract clauses that require the vendor to protect the covered data.

4.2 The specific contract clauses required depend on the type of data and the nature of the vendor's business. See this link for guidelines and contract clauses.

4.3 The contract may use the sample clauses published on the security.harvard.edu web site as-is or, if the vendor requires changes, with modifications. 

4.4 If the contract does not use the clauses as-is (without any modifications of substance) then the contract must be reviewed and approved by the Harvard Office of General Counsel, the Harvard Information Security Officer and the Harvard Chief Information Officer.

4.5 The vendor’s internal security design, policies and procedures must be reviewed by the Information Security Officer and/or Harvard Risk Management and Audit Services if the vendor deals with Harvard personally identifiable confidential information

5. Effective date

5.1 New vendor agreements must comply with these policies as of July 1, 2005.

5.2 Existing vendor agreements must be brought into compliance with these policies when they are renewed after July 1, 2005.

6. Policy Enforcement

Harvard Risk Management and Audit Services, Harvard Office of General

Council, and the Harvard Information Security Officer

7. Related Policies

8. Policy Contact

Harvard Information Security Officer



 		 
 
Universities adopt serious protections after high risk laptops are stolen
Advisory on use and protection of HUID
  >> See all  
Printer Friendly Page
 Trademark Notice|Privacy Policy | © 2008 President and Fellows of Harvard College  
Supported by WDS