Introduction

The Information Security Policy consists of three elements: Policy Statements | Requirements | How To's

Choose a Security Control level below to view associated Requirements based on the higher of the two, data risk level or system risk level. The higher the level, the greater the required protection. 

  • All non-public information that Harvard manages directly or via contract is defined as "Harvard confidential information."
  • "Harvard systems" means Harvard-owned or Harvard-managed systems, whether on Harvard premises or through contracted Cloud-based service.

Public information (Level 1)

Level 1 Harvard Systems

Not applicable

Low

Low Risk information (Level 2) is information the University has chosen to keep confidential but the disclosure of which would not cause material harm.

Low Risk Systems (L2)

Harvard systems that if compromised would not result in significant disruption to the School or University operations or research, and would pose no risk to life safety. 

Medium Risk information (Level 3) could cause risk of material harm to individuals or the University if disclosed or compromised.

Medium Risk Systems (L3)

Harvard systems that if compromised could result in:

  • material disruptions to School or University operations or research
  • material disruptions or damage to non-critical applications or assets
  • potential material reputational, financial, or productivity impacts
  • no risk to life safety

High risk information (Level 4) would likely cause serious harm to individuals or the University if disclosed or compromised.

High Risk Systems (L4)

Harvard systems that if compromised could result in:

  • major disruptions to School or University operations or research
  • major disruptions or damage to critical applications or assets
  • likely significant reputational, financial, or productivity impacts
  • life safety impacts

Reserved for extremely sensitive Research Data that requires special handling per IRB determination. 

Level 5 Systems

Specific to Research security protocol requirements