SB12: Servers or applications classified as medium risk or higher, or handling data classified as L3 or higher, whether managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS), must use a centrally-managed Harvard authentication system that requires more than one factor for authentication where technically feasible, e.g. HarvardKey or Harvard VPN, or comparable non-Harvard multi-factor authentication system (supported/approved by Harvard).
Contracts covering the use of Level 3 or 4 confidential information must include confidentiality language approved by the Office of the General Counsel. The Personal Data Protection contract rider is acceptable to append to an existing contract and may be found at the OGC website.
Massachusetts 201CMR requires that written contracts be enacted with vendors managing Level 4 personally identifiable information. Review contract model documents at the Office of the General Counsel website.
Shred papers, CDs, DVDs, etc. with confidential information using Harvard's approved shredding vendor (Data Shredder) or a crosscut shredder. DataShredder also provides hard drive destruction service. The Harvard agreement provides prescheduled pickup service for bins and office consoles and a onetime purge service. A certificate of destruction is always provided for services under contract.
For more information on the University Master Service Agreement please refer to:
Options to meet this requirement: In every case below, use a sealed envelope.
When you can or when the risk dictates [sensitivity, number of records], choose hand delivery or ensure tracking/delivery confirmation. Ensure that you put in a mailbox or FedEx box as opposed to leaving in a basket in an open area for someone else to do so.
-Hand deliver (make sure you hand it to the intended recipient ) -University mail (up to Level 3) -US Mail (use tracking/delivery confirmation where practical) -FedEX/UPS (use tracking/delivery...