Use this form to request a security review of new cloud services/applications prior to purchase.
1. Prior to completing the form, ensure the SaaS solution can meet the following security requirements:
- Access Control – the application or service can integrate with the university SSO service. If the university SSO service cannot be used, two-factor authentication can be enabled. If neither of these requirements can be fulfilled, please consult Todd Brown (todd_brown@byu.edu).
- Regulatory Compliance – the application or service complies with applicable regulatory data security requirements (FERPA, PCI DSS, HIPAA, GLBA, etc).
2. The following information will be required to complete this request:
- A functional description of the cloud service/application.
- The data elements that will be processed/stored.
- The classification of the cloud service/application (based on the Data Classification Policy)
- The vendor must provide a completed security audit report, certificate of conformance, or an industry recognized self-assessment attesting to the vendor’s key security practices and capabilities. Preferred conformance documents include:
- Third-party SOC2 Type II report
- Third-party SOC2 Type I report
- ISO 27001:2013
- HECVAT (v3 or later) - if the cloud service stores Restricted data
- HECVAT Lite (v3 or later) – if the cloud service stores any private data other than Restricted
- CAIQ v4 or later
***If the vendor does not have any of the above listed documents, they must complete the appropriate HECVAT. These can be downloaded from the EDUCAUSE website here: https://library.educause.edu/resources/2020/4/higher-education-community-vendor-assessment-toolkit#tools.