V2: Contracts with vendors managing Level 3 or Level 4 information or managing Harvard sensitive systems must contain specific confidentiality and security language already approved by the Office of General Counsel (OGC), or be reviewed by the OGC. Find out more about approved Contract Riders for Vendors.
V3: The security design, policies, and procedures of vendors and other third parties who will collect, process, host or store Level 4 information or manage Harvard critical systems must be reviewed by a University Information Security Officer. Find out more about Vendor Reviews.
V1: Written contracts must be executed with all vendors and other third parties who collect, process, host or store Level 3 or 4 information or have access to Harvard sensitive systems. Find out more about appropriate Contract Riders for Vendors.