13. Harvard must conduct appropriate due diligence on third parties that will store or have access to Harvard confidential information or sensitive systems.
Third parties must be capable of protecting the information and systems to which they have access and must be required to protect the information and systems.
V2. Written contracts including appropriate university riders must be executed with all vendors/other third parties who collect, process, host, or store information classified as Level 3 and above. ...
V3: The security design, policies, and procedures of vendors and other third parties who will collect, process, host or store Level 4 information or manage Harvard critical systems must be reviewed by a University Information Security Officer. Find out more about Vendor Reviews.