13. Harvard must conduct appropriate due diligence on third parties that will store or have access to Harvard confidential information or sensitive systems.

Third parties must be capable of protecting the information and systems to which they have access and must be required to protect the information and systems. 
See also: Policy

Level 4 vendors

V3: The security design, policies, and procedures of vendors and other third parties who will collect, process, host or store Level 4 information or manage Harvard critical systems must be reviewed by a University Information Security Officer. Find out more about Vendor Reviews.

Read more about Level 4 vendors