#  Policies and Standards 

 



#  Policies and Standards 

 

The PrivSec program is influenced by a number of external frameworks, which have shaped the University-wide principles, policies and standards in place today.



 

 

 

       ![The John Harvard statue on a bright sunny day in Harvard Yard](/sites/g/files/omnuum12036/files/styles/hwp_21_9__1920x825/public/hwp_defaults/shutterstock_166548722-1.jpeg?itok=C3grovBi) 

 

 



 

 



 

Harvard has established university-wide information security and privacy policies, requirements, standards, and principles that define responsibilities and best practices for safeguarding institutional assets and personal data.

Information Security

- [University Information Security Policy](https://privsec.harvard.edu/information-security-policy)
- [Risk Classification](https://privsec.harvard.edu/classify-risk)
- [Minimum Standards](https://privsec.harvard.edu/apply-standards)
- [Data Handling](https://privsec.harvard.edu/shield-data)
- [Requirements Guide](https://hu.sharepoint.com/:b:/r/sites/AwarenessVideos/Shared%20Documents/Downloadable%20Resources/Harvard%20Enterprise%20Information%20Security%20Requirements%202025.pdf?csf=1&web=1&e=asZqEM) (HarvardKey required)

Privacy

- [University-wide Privacy Principles](https://privsec.harvard.edu/privacy-principles)

Below are examples of key external influences.



 

##  General Information Security Frameworks 

Provides structured guidelines and best practices for establishing, implementing, and continuously improving an organization's cybersecurity program.

 

 



  [### CIS Controls

 ](https://www.cisecurity.org/controls/cis-controls-list)Current University Framework

A set of best practices to help organizations defend against the most pervasive and dangerous cyber threats. Consists of 18 Critical Security Controls and 3 Implementation Groups.



 

  [### NIST Cybersecurity Framework (CSF)

 ](https://www.nist.gov/cyberframework)Offers guidelines on managing and reducing cybersecurity risks, widely used across various sectors, including higher education.



 

  [### ISO/IEC 27001

 ](https://www.iso.org/standard/27001)An international standard providing requirements for an information security management system (ISMS).



 

  

   arrow\_back     arrow\_forward   

 

 

 

##  Data Privacy Regulations 

Established legal standards and requirement for the collection, processing, and protection of personal data to ensure individuals' privacy rights are protected and respected. Below is a sampling of relevant laws and regulations that may pertain to Harvard.

 

 



  [### Health Insurance Portability and Accountability Act (HIPAA)

 ](https://www.hhs.gov/hipaa/index.html)A federal law which applies to organizations who operate a healthcare facility or a health plan (a "covered entity") as well as the third-party services they share data with (a "business associate"). Focused on consumer protection for patients health information (PHI).



 

  [### Family Educational Rights and Privacy Act (FERPA)

 ](https://studentprivacy.ed.gov/faq/what-ferpa)A federal law which grants parents the right to access their children's educational records, request amendments to these records, and exercise some control over the disclosure of personally identifiable information contained within them.



 

  [### General Data Protection Regulation (GDPR)

 ](https://gdpr.eu/)A EU law, which applies when organizations collect, store, process or share personal data of individuals located in the European Union. It emphasizes stringent data protection and privacy rules.



 

  [### Personal Information Protection Law (PIPL)

 ](https://personalinformationprotectionlaw.com/)A Chinese law, which applies when organizations collect, store, process or share personal data of individuals located in the China. It emphasizes stringent data protection and privacy rules.



 

  [### Massachusetts 201 CMR 17.00

 ](https://www.mass.gov/regulations/201-CMR-1700-standards-for-the-protection-of-personal-information-of-residents-of-the-commonwealth)A state law, which requires businesses to develop a comprehensive written information security program (WISP) to protect residents' personal data with detailed technical and procedural safeguards.



 

  

   arrow\_back     arrow\_forward   

 

 

 

##  Research-Specific Frameworks 

Guidelines and methodologies developed to ensure the ethical, efficient, and secure conduct of research across various fields. Includes Ethical Standards, Data Management, Publication and Sharing, Funding and Compliance and Risk Management and Safety.

 

 [Office of Vice Provost for Research Policies chevron\_right](https://research.harvard.edu/research-policies-compliance/research-data-management/) 

 



  [### Controlled Unclassified Information (CUI)

 ](https://www.ftc.gov/policy-notices/controlled-unclassified-information)Standards for handling certain types of unclassified information that require safeguarding or dissemination controls, often applicable in research contracts.



 

  [### NIST Special Publication 800-171

 ](https://csrc.nist.gov/pubs/sp/800/171/r3/final)A publication by the National Institute of Standards and Technology which outlines security requirements for protecting the confidentiality of Controlled Unclassified Information in Non-Federal Information Systems and Organizations.



 

  [### NSPM-33

 ](https://www.nsf.gov/bfa/dias/policy/nstc_disclosure.jsp)National Security Presidential Memorandum-33 requires all federal research funding agencies to strengthen and standardize disclosure requirements for federally funded awards.



 

  [### Federal Information Security Management Act (FISMA)

 ](https://www.cisa.gov/topics/cyber-threats-and-advisories/federal-information-security-modernization-act)Applies when conducting research funded by the U.S. federal government, with requirements for information security controls often applicable in research contracts.



 

  [### Export Control Regulations

 ](https://www.trade.gov/us-export-regulations-0)U.S. frameworks like ITAR (International Traffic in Arms Regulations) and EAR (Export Administration Regulations), affecting research regarding national security or military applications.



 

  

   arrow\_back     arrow\_forward   

 

 

 

##  Sector-Specific Standards: 

Regulations, guidelines, and best practices designed to address the unique needs and challenges of particular industries or sectors.

 

 [Office of Treasury Management Policies chevron\_right](https://otm.finance.harvard.edu/how-to/credit-cards) 

 



  [### Payment Card Industry Data Security Standard (PCI DSS)

 ](https://www.pcisecuritystandards.org/standards/)Required for handling credit card transactions, relevant if tuition payments or donations are processed via credit card.