SB12. Servers or applications, whether managed directly by Harvard or via contract with a third-party service provider for Harvard's use (...

V2. Written contracts including appropriate university riders must be executed with all vendors/other third parties who collect, process, host, or store information classified as Level 3 and above.   ...

V1. Written contracts and appropriate riders must be executed with all vendors and other third parties who have access to Harvard non-public systems.

SA6: Users must only be permitted to access a server or application after their current business need for access has been established, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).