Community Members Responsibilities

Completing required information security and data privacy training:

1. Complete required security and privacy training on an annual basis, if you access Confidential Information
   1. Complete additional role-based security training, if specifically required for your role (e.g., HIPAA, Research)

Recommendation: Participate in supplemental training programs offered by your school or PrivSec.

Applying the University Risk Classifications and corresponding safeguards when creating, collecting, using, storing, or otherwise processing University Data:

1. Determine the appropriate risk classification before creating, collecting, using, storing, or otherwise processing University Data, using the University Risk Classifications
2. Use only systems and services approved for the determined risk classification level, and handle University Data in accordance with applicable standards
3. Reassess risk classification periodically and when there are significant changes to the University data or systems used to store or process it and adjust your practices accordingly

Protecting accounts and authentication credentials used for University activities:

1. Enable and use passwordless or multi-factor authentication methods when available
2. Use a strong, unique password that meets University standards for each University system that requires a password
3. Use University password(s) only for University accounts 
4. Keep account credentials private; do not share them

Recommendation: Use a password manager to generate strong passwords and store them securely.

Maintaining the security of devices used for University activities:

1. Keep all devices updated. Apply patches and updates promptly
2. Use only software and applications that are supported and receive updates
3. Keep security controls configured by a System or Service Custodian enabled; do not disable or circumvent them
4. Ensure all personal devices used to access University systems or store University Data meet University Minimum Standards and destroy data when the device is decommissioned or your University affiliation changes

Note: System and Service Custodians, PrivSec, or others responsible for University systems and data may impose additional restrictions or disallow the use of personal devices in some cases.

Protecting University Data and accessing University Data only as necessary to perform Harvard responsibilities:

1. Only access University Data necessary to perform Harvard responsibilities
2. Share University Data only with authorized University personnel, affiliates, and third parties who need access to such data, using appropriate contractual protections

Reporting suspected or confirmed security or data privacy incidents promptly:

1. Immediately report suspected security incidents, including lost or stolen devices, suspected unauthorized access to data, signs of compromise, or suspicious emails
2. Cooperate with University investigations when incidents occur

If you have questions about the requirements or want to discuss an exception, contact the relevant System and Service Custodian, your School PrivSec Officer, or PrivSec.

Material changes to these requirements will be subject to review and approval by the Information Security Advisory Council (ISAC).