Information Security Policy

Version 2.0 Published: April 1, 2025

Harvard University is committed to the protection of our digital assets, including data entrusted to us, ensuring the confidentiality, integrity, and availability of assets critical to our academic, research, and operational missions. This policy establishes a framework for achieving our cybersecurity objectives at Harvard.

The requirements are risk based, and informed by best practices in data management, asset management, and incident response. Standards specify technical, legal and administrative controls, tools, and services that, when applied in combination, meet the risk-based requirements.

Exceptions must be formally requested, reviewed and advised on by the Chief Information Security and Data Privacy Officer (CISDPO) or their designee, and approved by a School Administrative Dean or their designee for exceptions generating risk specific to that school, or the Executive Vice President or their designee for exceptions generating enterprise risk.

This policy, its associated requirements, and standards, will be revised regularly to ensure continued effectiveness in today's dynamic technology and regulatory landscape.

The policy applies to all faculty, staff, students, and affiliates are required to adhere to this policy.

Responsibilities of all community members

• Complete applicable training.
• Classify system and data risk appropriately.
• Protect data, systems, accounts and passwords, whether in digital or physical form.
• Use Harvard contracted services for Harvard confidential information.
• Report security incidents and suspicious cyber activity.

Responsibilities of system administrators

• Classify system and data risk appropriately.
• Apply and maintain Minimum Standards appropriate to the risk classification.
• Provide security incident response assistance.

1. All users are responsible for protecting Harvard confidential information that they use in any form from unauthorized access and use.
2. All users are responsible for protecting their Harvard passwords and other access credentials from unauthorized use.
3. All access to and use of Harvard confidential information must be for authorized Harvard purposes.
4. Harvard systems must not be used in a manner that violates University policies.
5. All persons accessing Harvard confidential information must be trained in protecting such information.
6. All users of Harvard confidential information resources must be accurately and individually identified.
7. Harvard confidential information must be protected on any computer or device.
8. All Harvard systems and systems storing Harvard confidential information must be protected against improper access.
9. All critical systems, and systems and locations where Level 4 or 5 information is stored, must be accurately identified and physically secure.
10. Electronic and physical records containing Harvard confidential information must be appropriately protected when transported or transmitted.
11. Software must be kept up to date on all Harvard systems and systems storing Harvard confidential information.
12. Electronic and physical records containing Harvard confidential information must be properly disposed of so that the information cannot be retrieved or reassembled when no longer needed or required to be kept.
13. Harvard must conduct appropriate due diligence on third parties that will store or have access to Harvard confidential information or sensitive systems.
14. Any actual or suspected loss, theft, or improper use of or access to, Harvard confidential information or systems must be reported.