SB12: Servers or applications classified as medium risk or higher, or handling data classified as L3 or higher, whether managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS), must use a centrally-managed Harvard authentication system that requires more than one factor for authentication where technically feasible, e.g. HarvardKey or Harvard VPN, or comparable non-Harvard multi-factor authentication system (supported/approved by Harvard).
V2: Contracts with vendors managing Level 3 or Level 4 information or managing Harvard sensitive systems must contain specific confidentiality and security language already approved by the Office of General Counsel (OGC), or be reviewed by the OGC. Find out more about approved Contract Riders for Vendors.
V1: Written contracts must be executed with all vendors and other third parties who collect, process, host or store Level 3 or 4 information or have access to Harvard sensitive systems. Find out more about appropriate Contract Riders for Vendors.