IT Cloud Vendor Security Review Request

Use this form to request a security review of new cloud services/applications prior to purchase.  The following information will be needed to complete the request.

1.    Confirmation the SaaS solution can meet the following security requirements:

  • Access Control – Can integrate with the university SSO service. If the university SSO service cannot be used, enable two-factor authentication.
  • Encryption In-transit – uses only transport layer encryption TLS 1.2 or higher.
  • Encryption At-Rest – encrypts application data while at-rest.
  • Log Management – logs security related events and responds to alerts in a timely manner.  Logs are kept for a minimum of 120 days.
  • Regulatory Compliance – complies with applicable regulatory data security requirements (FERPA, PCI DSS, HIPAA, GLBA, etc).

2.    Application/Service Information

  • A functional description of the cloud service/application.
  • The data elements that will be processed/stored. 
  • The classification of the cloud service/application (based on the data classification; See the 2021 CES Information Classifications v21 - Final (1).pdf
  • A completed security audit report, certificate of conformance, or an industry recognized self-assessment attesting to the vendor’s key security practices and capabilities.  Preferred conformance documents include:
    • Third-party SOC2 Type II report 
    • Third-party SOC2 Type I report 
    • ISO 27001:2013 
    • HECVAT (v3 or later) - if the cloud service stores Restricted data
    • HECVAT Lite (v3 or later) – if the cloud service stores any private data other than Restricted
    • CAIQ v4 or later 

***If the vendor does not have any of the above listed documents, they must complete the appropriate HECVAT.  These can be downloaded from the EDUCAUSE website here: https://library.educause.edu/resources/2020/4/higher-education-community-vendor-assessment-toolkit#tools.

We will need copies of the vendor's information security policies and other documentation describing security controls in place to protect University information.

 
Request Security Review

Details

Service ID: 1121
Created
Thu 9/15/22 11:04 AM
Modified
Tue 5/2/23 9:14 AM