Services Security Checklist

The use of external service provider’s services and products can result in cost savings, as well as helping the Institute deliver instruction, collaborate, and share information and ideas.

While it can be quite simple to buy a license for a product or create an account with a cloud service provider and start using their service, there are some things we need to consider ensuring we are meeting our obligations to our students, each other, and the University System of Georgia (USG).

Before entering into an agreement with any vendor, even in the context of agreeing to an End User License Agreement for software you intend to use for Georgia Tech business, it is important to consider the following:

Care should be taken when considering the type of data to be stored, processed, and transmitted using the product or service:

  • Is this data subject to regulatory standards and/or protected by state, federal, or international law?
    • Examples include but are not limited to FERPA (Family Education Rights Privacy Act), HIPAA (Health Insurance Portability and Accountability Act), CUI (Controlled Unclassified Information), GDPR (General Data Privacy Regulations)
  • Does the Institute consider this information to be sensitive?  

Third-Party Security Assessments (TPSA)

  • Third-Party Security Assessments (TPSA) are security assessments conducted by OIT Cyber Security to confirm if a vendor’s product or service has information, data, and cybersecurity policies in place to protect GT sensitive institutional information and constituents' PII.
  • The TPSA utilizes the Higher Education Community Vendor Assessment Tool (HECVAT), vendor-supplied SOC2 report, and Security Scorecard.
    • Note: in cases where a specific report is not available from or about the Vendor, OIT (Office of Information Technology) Cyber Security may request additional supporting security reports or documentation.
  •  When are TPSAs Required?
    • TPSAs are now required for all new third-party services.
    • Annual reviews are now required of all third-party services and will follow the same process, utilizing the TPSA.
  • OIT Cyber Security will work with service owners to review (annually) User Entity Controls (UECs).
  • To conduct Third-Party Security Assessments, OIT Cybersecurity may evaluate user entity controls using additional third-party assessment tools such as Security Scorecard to identify and/or evaluate control weaknesses.
  • These assessments may be used in conjunction with other appropriate security reports, as needed, such as SOC2 or HECVAT to evaluate new or existing tools (renewals).
    • Note: The criteria used to evaluate controls are generally not published to not encourage vendors to “code around” them.

 

Steps for initiating a Third-Party Security Assessment:

The GT Sponsor (GT Employee (faculty or staff) only) of the Product, will need to Request the Vendor provide the following:

  1. A recently completed HECVAT
    • To review general information about the HECVAT, please navigate to the EduCause HECVAT page here: EduCause HECVAT Information
    • We ask that vendors complete the Lite version of the HECVAT at minimum, which is located here: HECVAT Lite
    • Please Note: Make sure the Vendor knows that incomplete HECVATs will only delay the process as more information will be requested.
  2. A current SOC2 Audit Report (completed within the last 12 months)
    • If the vendor does not have a SOC2 Report, other documentation may be requested by the Governance, Risk, and Compliance (GRC) team.
    •  The evaluation of the Vendor’s SOC2 Audit Report will be based on controls that are periodically reviewed with the data stewards (typically annually.)
  3. The GT Sponsor, not the Vendor (see [1]) should then Send, via email attachments, the HECVAT and SOC2 reports provided by the Vendor, and any other supporting documentation, to ask@security.gatech.edu,
    • In the subject of the email, include 'HECVAT' + “Name of the Vendor” + “Name of the Product or Service”.
    • A Compliance Analyst of the Cyber Security, Governance, Risk, and Compliance (GRC) Team will be assigned to conduct the Third-Party Security Assessment. They will reach out to the GT Sponsor who submitted the above information and deliverables as described above.
    • The GRC Compliance Analyst may request other reports (as required) – equal or better solutions that meet or exceed controls… allowing for other attestations, if necessary (e.g. security scorecard failure, etc.)
    • GRC Compliance Analysts will review all of the documentation and reports available to provide an unbiased opinion to the Data Steward of any Protected Data being used by the Vendor and/or Product.
    • Data Stewards provide Approval or Denial of the use of a Vendor’s Product or Service, NOT the Cyber Security GRC Compliance Analysts.

Escalation path – if the TPSA report is rejected, next steps? 

  1. If the TPSA report is deemed Unacceptable by the Data Steward, all appeals will be evaluated by executive leadership.
  2. The GT Sponsor should document how and why this product should be approved. The GT Sponsor will submit this appeal to the ELT for their consideration.

 

For further assistance: Contact GT procurement and GT Legal to assist with purchasing the product or service:

For Services that store, process, or transmit research data and may support Sponsor Data, the GT Sponsor must contact the appropriate Contracting Officer, to ensure the desired service meets contract requirements. Verify the service agreement for the product or service provides the following guarantees:

  • Georgia Tech maintains sole ownership of our data
  • If the vendor is hosting our data:
    • They must notify Georgia Tech in the event of a data breach
    • Georgia Tech has the right to reclaim our data
    • Georgia Tech has the right to review independent audit reports or to audit the cloud service provider
    • If the service is a cloud service, ensure they have implemented the following security measures [2] if you are considering using the service in conjunction with sensitive GT data:
      • Storage encryption
      • Transmission encryption
      • Password protection
      • Data backup
      • Secure data/drive disposal

[1] Please Note: The Third-Party Security Assessment (TPSA) must be initiated by a GT Sponsor (Faculty or Staff only) who will be the Point of Contact (POC) for the Third-Party Security Assessment process. You, as the GT Sponsor/POC, not the vendor, need to obtain the required documentation and submit it to ServiceNow via email as described above. IMPORTANT: Any Security Request submitted by a vendor will be rejected.

[2] The complete list of cloud security requirements for sensitive data is located in the Georgia Tech Data Protection Safeguards: http://b.gatech.edu/dps. Contact GT Cyber Security if assistance is needed with security issues: ask@security.gatech.edu

For a list of TPSAs (Third Party Security Assessment) that have already been reviewed by the Cyber Security Governance, Risk, and Compliance team and Data Stewards, please navigate to this page:  https://gatech.service-now.com/home?id=kb_article_view&sysparm_article=KB0025920. Please note, the table in this KB is for reference only and is updated "Best Effort" due to limited resources.

[Last Revised: 9/19/2021]