Security Policies

In higher education, an information security policy is a document required by state and federal law that just outlines how the school plans to protect its sensitive, confidential, or legally-protected information. An information security policy is often considered a "living document," meaning that the document is never finished, but is continuously updated as community, technology, and University, requirements change. 

University Policies & Guidelines

(See the University's full list on the Office of the Provost's website)

• Harvard Enterprise Security Policy (HESP)
• Harvard Research Data Security Policies
• Harvard University Digital Accessibility Policy
• Privacy Disclosures under Non-US Law for Individuals Located Outside the United States
• Policy on Access to Electronic Information (AEI)
  •  AEI FAQs
• Generative AI Guidelines
• Digital Millennium Copyright Act (DMCA)
• IT Professional Code of Conduct to Protect Electronic Information
• University Credit Card Merchant Handbook
• Harvard FERPA Common Directory Elements
• Harvard Records Management
  • General Records Schedule
  •  Research Records Schedule
• Harvard Staff Personnel Manual

HGSE Policies & Statements

• Written Information Security Plan (WISP)
• HGSE Confidentiality Agreement
• Website Privacy Statement

State and Federal Regulations

Massachusetts

• 201 CMR 17.00

Federal

• Family Educational Rights and Privacy Act (FERPA)
• Health Insurance Portability and Accountability Act (HIPAA)
• Digital Millennium Copyright Act (DMCA)

International/Other

• EU General Data Protection Regulation (GDPR)
• Payment Card Industry Data Security Standard (PCI DSS)
• Personal Information Protection Law (PIPL) of the People’s Republic of China