#  University Information Security Policy 

 



Updated May 7, 2026

## Purpose

Harvard University is committed to the protection of our data and digital assets, including data entrusted to us, to safeguard confidentiality, integrity, and availability of information critical to our academic, research, and operational missions. This policy, administered by the University Information Security and Data Privacy team (“PrivSec”), establishes a risk-based framework for achieving our information security objectives at Harvard.

This policy defines overarching responsibilities for all Community Members to support the proper protection of University data, systems, and services. All Community Members and System or Service Custodians must comply with the requirements and standards established to support this policy.

## Scope

This policy applies to all faculty, staff, students, and other individuals who interact with, access, or manage University Data (including Confidential Information), systems, or digital resources, regardless of location or device. This includes use of personal devices when accessing University systems or data

### Definitions

- **Community Members**: Faculty, staff, students, or other individuals who access or use University data (including Confidential Information), systems, or digital resources, regardless of location or device.
- **Confidential Information**: University Data classified as Level 2 through Level 5 in accordance with the University Risk Classifications.
- **System or Service Custodians (Custodians)**: Community Members in control of or responsible for the operation, maintenance, or vendor management of a system or service processing University Data.
- **University Data**: Information created, received, maintained, transmitted, recorded or otherwise processed by or for Harvard, including by third parties acting on Harvard’s behalf, or in connection with Harvard activities. This includes, but is not limited to, information maintained in paper, electronic, audio, or visual formats and includes both non-confidential information and Confidential Information.

### Risk Classification

All University data and systems are classified using a tiered risk framework, the University Risk Classifications, that determines the safeguards required for their protection. The University Risk Classifications define five levels of sensitivity. Community Members and System or Service Custodians must apply these classifications consistently when working with University data and systems.

### Community Member Responsibilities

Community Members are responsible for the following:

1. Completing required information security and data privacy training
2. Applying the Risk Classifications and corresponding safeguards when creating, collecting, using, storing, or otherwise processing University Data
3. Protecting accounts and authentication credentials used for University activities
4. Maintaining the security of devices used for University activities
5. Protecting University Data and accessing University Data only as necessary to perform Harvard responsibilities
6. Reporting suspected or confirmed security or data privacy incidents promptly

[Click here to view the applicable requirements associated with these responsibilities](https://privsec.harvard.edu/community-members-responsibilities).

### System or Service Custodian Responsibilities

In addition to the Community Member responsibilities, System or Service Custodians are responsible for the following for the system or service they manage:

1. Managing and securing assets and configurations
2. Controlling and protecting access and identity
3. Protecting University Data
4. Maintaining backup, recovery, and continuity capabilities
5. Monitoring, reviewing, and detecting information security related activity
6. Securing networks and infrastructure
7. Managing vendors and cloud services responsibly
8. Preparing for and responding to privacy and security incidents

[Click here to view the applicable requirements associated with these responsibilities](https://privsec.harvard.edu/system-administrators-responsibilities).

### PrivSec (Information Security and Data Privacy Office) Responsibilities

PrivSec provides University-wide leadership and coordination for information security and data privacy and is responsible for:

1. Developing, maintaining, and interpreting the University Information Security Policy, including its related requirements and implementation standards
2. Developing and maintaining related awareness, training, and education content
3. Publishing and updating University standards to support this policy and its requirements
4. Developing and maintaining the policy exception process
5. Advising on risk mitigation strategies and compensating controls
6. Leading and coordinating PrivSec incident response activities and investigations
7. Ensuring the policy and related requirements remain current, effective, and aligned with University objectives and applicable frameworks

### Enforcement

Suspected violations will be investigated pursuant to University policies and procedures in coordination with the relevant University offices. Confirmed violations may result in disciplinary measures, legal actions, or other consequences commensurate with the violation.

### Policy Exceptions

All exceptions to this policy must be formally requested, and must be reviewed and approved by, the Chief Information Security and Data Privacy Officer (CISDPO) or their designee.

Additional approvals may be required based on the nature of the exception.

### Policy Review

This policy, its responsibilities, and related requirements will be reviewed periodically and updated as necessary to reflect changes in the risk environment, compliance obligations, and relevant frameworks.

Material changes to this policy will be subject to review and approval by the Information Security Oversight Committee (ISOC).

If you are unsure of your responsibilities under this policy, contact PrivSec for guidance.



 

##  Related Resources 

Use these resources to understand university information security requirements, access supporting standards, and find implementation guidance.

 

 



 ### Information Security Standards

Official university resources supporting the information security requirements.

- [University Risk Classification](/classify-risk "Classify Risk")
- [Minimum Standards](/apply-standards "Apply Standards")
- [Data Handling](/shield-data "Shield Data")



 

 ### University Policies

Official university policies, and governance resources supporting the information security requirements.

- [Identity and Access Management](https://www.iam.harvard.edu/)
- [Research Data Management](https://research.harvard.edu/research-policies-compliance/research-data-management/)
- Acceptable Use (pending)



 

 ### Related Topics

Explore related security, privacy, and compliance topics.

- [University-Wide Privacy Principles](/privacy-principles "University-Wide Privacy Principles")
- [Awareness and Education](/awareness-and-education "Awareness and Education")
- [Best Practices](/best-practices "Best Practices")
- [Roles](https://privsec.harvard.edu/roles)