Vendor Compliance

HGSE’s confidential information is only as secure as our third-party service providers, or vendors, that we entrust with it. The rising cost of technology and an institution’s desire to improve the bottom line is fostering many decisions to outsource more and more of infrastructural and research project processes and functionality. Outsourcing IT and School business systems and processes saves money only if the vendor neglects to have a security breach. Unfortunately, many vendors leave the door open for attack, as they don’t necessarily keep client security interests top of mind.

In order to truly protect our outsourced information, HGSE security policies require that due diligence vendor security assessments be performed prior to entrusting any vendor with our confidential and legally protected information.

Any HGSE member looking to entrust Level 3 or 4 data to a third-party service provide must first receive approval from HGSE’s Director of Security Operations (DSO). The DSO will reach out to the requested vendor to review all required security policies and procedures of the vendor. If the vendor is deemed compliant with Harvard/HGSE security policies by the DSO, a written contract or statement of work including the proposed vendor services and appropriate Harvard contract riders (to include the Personal Data Protection Rider and the GDPR Data Protection Rider) must be in place before HGSE users are permitted to entrust sensitive or confidential data with the vendor.

Please visit our Secure Collaboration section for some of the University's approved (i.e., previously reviewed and determined compliant for use by HGSE users) third-party service providers as well as HGSE's Tool Classification Matrix. Alternatively, HGSE users can set up an appointment with HGSE's DSO to discuss their specific security needs and third-party service provider compliance assessments by navigating here: