Use this form to request a security review of new cloud services/applications prior to purchase. The following information will be needed to complete the request.
1. Confirmation the SaaS solution can meet the following security requirements:
- Access Control – Can integrate with the university SSO service. If the university SSO service cannot be used, enable two-factor authentication.
- Encryption In-transit – uses only transport layer encryption TLS 1.2 or higher.
- Encryption At-Rest – encrypts application data while at-rest.
- Log Management – logs security related events and responds to alerts in a timely manner. Logs are kept for a minimum of 120 days.
- Regulatory Compliance – complies with applicable regulatory data security requirements (FERPA, PCI DSS, HIPAA, GLBA, etc).
2. Application/Service Information
- A functional description of the cloud service/application.
- The data elements that will be processed/stored.
- The classification of the cloud service/application (based on the data classification; See the 2021 CES Information Classifications v21 - Final (1).pdf
- A completed security audit report, certificate of conformance, or an industry recognized self-assessment attesting to the vendor’s key security practices and capabilities. Preferred conformance documents include:
- Third-party SOC2 Type II report
- Third-party SOC2 Type I report
- ISO 27001:2013
- HECVAT (v3 or later) - if the cloud service stores Restricted data
- HECVAT Lite (v3 or later) – if the cloud service stores any private data other than Restricted
- CAIQ v4 or later
***If the vendor does not have any of the above listed documents, they must complete the appropriate HECVAT. These can be downloaded from the EDUCAUSE website here: https://library.educause.edu/resources/2020/4/higher-education-community-vendor-assessment-toolkit#tools.
We will need copies of the vendor's information security policies and other documentation describing security controls in place to protect University information.