University Information Security Policy

Version 2.0 Published: TBD

Purpose

Harvard University is committed to the protection of our data and digital assets, including data entrusted to us, to safeguard confidentiality, integrity, and availability of information critical to our academic, research, and operational missions. This policy establishes a framework for achieving our information security objectives at Harvard.

This policy includes overarching responsibilities and underlying standards that detail what steps must be taken by different Harvard community members to fulfill their responsibilities and adequately safeguard data and systems in accordance with their risk classifications. Detailed implementation guidance, in the form of standards are included as additional resources.

Scope

This policy applies to all Harvard community members - including faculty, staff, and students - who interact with, access, or manage University data (including Confidential Information) or digital resources, regardless of location or device.

Definitions

Community Members: Any faculty, staff, students, or associated individuals who have access to University systems, or Confidential Information.

Confidential Information: All data classified as Level 2 or above in accordance with University Risk Classifications.

PrivSec (Information Security/Data Privacy Office): The Harvard organizational unit and staff responsible for overseeing University-wide information security and privacy safeguards, policy, certain compliance-related functions, monitoring, training, and incident response.

System Administrator: Person(s) who, together as part of a team or individually, maintains or operates information technology services or systems, multiuser servers, shared data repositories, or similar services or platforms.

University Data: Information created, collected, maintained, transmitted, recorded or otherwise processed by or for Harvard or in connection with University activities. This includes, but is not limited to, information maintained in paper, electronic, audio, or visual formats and both non-confidential information and Confidential Information.

Risk Classifications

Foundational to this policy is understanding the risk classification of data and systems to determine the safeguards required for their protection. Harvard University applies a tiered risk classification framework to all University data and digital resources as part of its information security program.

Responsibilities of All Harvard Community Members

• Complete required information security and data privacy training and confidentiality agreements.
• Understand and apply Harvard’s data and system risk classifications and handling requirements.
• Protect University data and systems, digital and physical, in accordance with University risk classifications.
• Safeguard accounts and passwords.
• Promptly report suspected security incidents or suspicious cyber activity and cooperate with any information security investigations.

Responsibilities of System Administrators

• Establish and maintain a comprehensive inventory of all technology assets.
• Establish services retained pursuant to an appropriate written agreement when handling Confidential Information.
• Implement access controls and authentication protocols, manage access lists, and apply least privilege principles.
• Ensure all technology assets are securely configured based on University risk classifications, are regularly maintained, and kept up to date to protect against security threats.
• Establish, document, and regularly test backup and data recovery processes to meet business objectives.
• Support and participate in incident response and penetration testing activities.

Responsibilities of PrivSec (Information Security/Privacy Office)

• Develop and maintain the University Information Security Policy.
• Develop and maintain related awareness and education content.
• Publish University standards for technology assets, compliance, and third-party/vendor risk assessments.
• Lead and coordinate the University’s incident response activities and investigations.
• Advise on risk mitigation strategies, compensating controls and requests for policy exceptions.

Enforcement

Suspected violations will be investigated pursuant to University policies and procedures. Confirmed violations may result in disciplinary measures, including, but not limited to, termination of employment, disciplinary actions or sanctions, legal action, or revocation of access privileges, consistent with applicable University policies governing faculty, staff, and students.

Policy Exceptions

Exceptions to this policy must be formally requested to and reviewed by the Chief Information Security and Data Privacy Officer (CISDPO) or their designee.

The CISDPO may require additional approvals, including, where appropriate, from school leadership.

Policy Review

This policy, its responsibilities and underlying standards will be reviewed and updated regularly to reflect the threat environment, compliance standards, and relevant frameworks.

This policy and its implementation shall be subject to periodic review and amendment as needed by the Information Security and Privacy Office.

Material changes to this policy will be subject to review and approval by the Information Security Oversight Committee (ISOC). 

Substantive changes to the supporting requirements will be reviewed by the Information Security Advisory Committee (ISAC).