Policies and Standards
Harvard’s university-wide information security and privacy policies, standards, and principles set clear expectations for how we protect institutional assets and personal data. Use the resources below to understand your responsibilities and follow best practices.
- Information Security
- Privacy
General Information Security Frameworks
Key external influences that provide structured guidelines and best practices for establishing, implementing, and continuously improving an organization’s cybersecurity program.
CIS Controls
A set of best practices to help organizations defend against the most pervasive and dangerous cyber threats. Consists of 18 Critical Security Controls and 3 Implementation Groups.
NIST Cybersecurity Framework (CSF)
Offers guidelines on managing and reducing cybersecurity risks, widely used across various sectors, including higher education.
ISO/IEC 27001
An international standard providing requirements for an information security management system (ISMS).
Data Privacy Regulations
Established legal standards and requirement for the collection, processing, and protection of personal data to ensure individuals' privacy rights are protected and respected. Below is a sampling of relevant laws and regulations that may pertain to Harvard.
Health Insurance Portability and Accountability Act (HIPAA)
A federal law which applies to organizations who operate a healthcare facility or a health plan (a "covered entity") as well as the third-party services they share data with (a "business associate"). Focused on consumer protection for patients health information (PHI).
Family Educational Rights and Privacy Act (FERPA)
A federal law which grants parents the right to access their children's educational records, request amendments to these records, and exercise some control over the disclosure of personally identifiable information contained within them.
General Data Protection Regulation (GDPR)
A EU law, which applies when organizations collect, store, process or share personal data of individuals located in the European Union. It emphasizes stringent data protection and privacy rules.
Personal Information Protection Law (PIPL)
A Chinese law, which applies when organizations collect, store, process or share personal data of individuals located in the China. It emphasizes stringent data protection and privacy rules.
Massachusetts 201 CMR 17.00
A state law, which requires businesses to develop a comprehensive written information security program (WISP) to protect residents' personal data with detailed technical and procedural safeguards.
Research-Specific Frameworks
Guidelines and methodologies developed to ensure the ethical, efficient, and secure conduct of research across various fields. Includes Ethical Standards, Data Management, Publication and Sharing, Funding and Compliance and Risk Management and Safety.
Controlled Unclassified Information (CUI)
Standards for handling certain types of unclassified information that require safeguarding or dissemination controls, often applicable in research contracts.
NIST Special Publication 800-171
A publication by the National Institute of Standards and Technology which outlines security requirements for protecting the confidentiality of Controlled Unclassified Information in Non-Federal Information Systems and Organizations.
NSPM-33
National Security Presidential Memorandum-33 requires all federal research funding agencies to strengthen and standardize disclosure requirements for federally funded awards.
Federal Information Security Management Act (FISMA)
Applies when conducting research funded by the U.S. federal government, with requirements for information security controls often applicable in research contracts.
Export Control Regulations
U.S. frameworks like ITAR (International Traffic in Arms Regulations) and EAR (Export Administration Regulations), affecting research regarding national security or military applications.
Sector-Specific Standards:
Regulations, guidelines, and best practices designed to address the unique needs and challenges of particular industries or sectors.
Payment Card Industry Data Security Standard (PCI DSS)
Required for handling credit card transactions, relevant if tuition payments or donations are processed via credit card.