The HarvardKey Application Integration Policy requires application owners to review their registration data annually and attest to the following:

• The application(s) and registration(s) are still active and should be retained.
• The system risk and data levels associated with the application(s) are accurate.
• The authorization filter in use is appropriate given the system risk and data levels and aligns with the Standards for Assigning Authorization section of the Application Integration Policy.
• Attributes released are being used in accordance with the HarvardKey Application Integration Policy.

The annual attestation process is supported in the HarvardKey Application Registry (HKAR). Attestations for registrations integrated with HarvardKey after May 1, 2022 are due one year after the integration.

What’s required of application teams?

To perform the annual attestation process we request that application teams first ensure that all data clean-up and policy compliance activities are completed for applications within their purview.  This includes:

• Identifying applications and registrations that are no longer in use and requesting that they be retired
• Adding basic information to applications such as business purpose, data and risk levels 
• Ensuring every registration has an appropriate authorization filter

Note that only users with the Application Liaison or Department Liaison role in HKAR have permission to make or request changes. 

After data clean-up is complete, proceed to the attestation process. The attestation process is described in detail in the Completing the Annual Attestation Process article on the IT Help Portal. 

General Attestation Resources

• For detailed instructions visit the Completing the Annual Attestation Process article on the IT Help Portal.
• For an overview of reports that support the process, visit the Reports to Support the Annual Attestation Process article on the IT Help Portal.

Attestation Resources for App & Department Liaisons

• To view a list of Registration Managers associated with applications in your department or for which you are a liaison, visit the Registration Managers report available under the Reports tile/menu and select the appropriate filter radio button.
  • To view applications with no Registration Manager, select the Applications without Registration Manager Contacts sub-report (under the Primary Report dropdown)
• To add a Registration Manager contact to an application, visit the IT Help Portal for instructions on linking a contact and setting the contact type. 
• To see the status of Attestations for registrations in your department or for which you are a liaison, visit the Attestation Status report available under the Attestations tile/menu and select the appropriate filter radio button.

General HKAR Resources

• Visit the Getting Started with HKAR page in the IT Help Portal.
• IAM hosts weekly Office Hours on Tuesdays from 1-2 pm to answer any questions related to Authentication and Authorization services including how to complete data clean-up, compliance tasks, and annual attestation in HKAR. If you have any questions about HKAR, HarvardKey, HarvardKey Light, or Group Authorization, you can register for an upcoming session of Authentication and Authorization Office Hours here. 

Please reach out to us if you have any questions about the information provided.  If existing Office Hours are not convenient for your schedule, feel free to propose a meeting with Masha Shoykhet, HKAR Service Offering Owner, at a different time.