# Security Policies ## expand\_more In higher education, an information security policy is a document required by state and federal law that just outlines how the school plans to protect its sensitive, confidential, or legally-protected information. An information security policy is often considered a "living document," meaning that the document is never finished, but is continuously updated as community, technology, and University, requirements change. ## University Policies & Guidelines (See the University's full list on the [Office of the Provost's website](https://provost.harvard.edu/pages/policies)) - [Harvard Enterprise Information Security Policy (HEISP)](https://privsec.harvard.edu/information-security-policy) - [Harvard Research Data Security Policies](https://research.harvard.edu/research-policies-compliance/) - [Harvard University Digital Accessibility Policy](https://accessibility.huit.harvard.edu/digital-accessibility-policy) - [Harvard University Privacy Statement](https://privsec.harvard.edu/harvard-university-privacy-statement) - [Privacy Disclosures under Non-US Law for Individuals Located Outside the United States](https://internationaldataprivacy.harvard.edu/) - [Policy on Access to Electronic Information (AEI)](https://huit.harvard.edu/policy-access-electronic-information) - [AEI FAQs](https://provost.harvard.edu/sites/hwpi.harvard.edu/files/provost/files/aei_policy_faqs.pdf) - [Generative AI Guidelines](https://huit.harvard.edu/ai/guidelines) - [Digital Millennium Copyright Act (DMCA)](http://dmca.harvard.edu/) - [IT Professional Code of Conduct to Protect Electronic Information](https://huit.harvard.edu/it-professional-code-conduct-protect-electronic-information) - [University Credit Card Merchant Handbook](https://finance.harvard.edu/how-to/merchant-accounts-and-credit-cards) - [Harvard FERPA Common Directory Elements](https://provost.harvard.edu/files/provost/files/ferpa_overview.pdf) - [Harvard Records Management](http://library.harvard.edu/university-archives/managing-university-records/homepage) - [Harvard Staff Personnel Manual](https://harvie.harvard.edu/staff-personnel-manual) ## HGSE Policies & Statements - [Written Information Security Plan (WISP)](https://hu.sharepoint.com/:w:/s/HGSEIT/IQBEBRoXvLQ5S4VWg181V5jgAWT5W66RzYUlyLqgiQFNhmA?e=C6Fxv8) - [Website Privacy Statement](http://www.gse.harvard.edu/policies/privacy) ## General Information Security Frameworks - [CIS Critical Security Controls](https://www.cisecurity.org/controls/cis-controls-list) - [NIST Cybersecurity Framework](https://www.nist.gov/cyberframework) - [ISO/IEC 27001](https://www.iso.org/standard/27001) ## Research-Specific Frameworks - [Controlled Unclassified Information (CUI)](https://www.ftc.gov/policy-notices/controlled-unclassified-information) - [NIST Special Publication 800-171](https://csrc.nist.gov/pubs/sp/800/171/r3/final) - [NSPM-33](https://www.nsf.gov/bfa/dias/policy/nspm-33-implementation-guidance) - [Federal Information Security Modernization Act (FISMA)](https://www.cisa.gov/topics/cyber-threats-and-advisories/federal-information-security-modernization-act) - [Export Control Regulations](https://www.trade.gov/us-export-regulations-0) ## State and Federal Regulations ### Massachusetts - [201 CMR 17.00](https://www.mass.gov/regulations/201-CMR-1700-standards-for-the-protection-of-personal-information-of-residents-of-the-commonwealth) ### Federal - [Family Educational Rights and Privacy Act (FERPA)](https://studentprivacy.ed.gov/faq/what-ferpa) - [Health Insurance Portability and Accountability Act (HIPAA)](https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html) - [Digital Millennium Copyright Act (DMCA)](http://www.copyright.gov/legislation/dmca.pdf) ### International/Other - [EU General Data Protection Regulation (GDPR)](https://gdpr.eu/) - [Payment Card Industry Data Security Standard (PCI DSS)](https://www.pcisecuritystandards.org/document_library) - [Personal Information Protection Law (PIPL) of the People’s Republic of China](https://personalinformationprotectionlaw.com/)