Services Security Checklist

Various services and products can help the Institute to deliver instruction, collaborate, and share information and ideas. While it can be very simple to buy a license for a product or create an account with a cloud service provider and start using their service, there are some things we need to consider to ensure we are meeting our obligations to our students and each other. Before entering into an agreement with a with a vendor, even in the context of agreeing to an End User License Agreement for software you intend to use for Georgia Tech business, you should consider the following items:

  • Consider the type of data to be stored, processed, and transmitted using the product or service:
  • Have the vendor provide a completed HECVAT
  • Contact GT procurement and GT Legal to assist with purchasing the product or service:
  • Read research agreements to verify they allow the use of additional products or services to store, process, or transmit research data
  • Verify the service agreement for the product or service provides the following guarantees:
    • Georgia Tech maintains sole ownership of our data
    • If the vendor is hosting our data:
      • They must notify Georgia Tech in the event of a data breach
      • Georgia Tech has the right to reclaim our data
      • Georgia Tech has the right to review independent audit reports or to audit the cloud service provider
      • If the service is a cloud service, ensure they have implemented the following security measures[1] if you are considering using the service in conjunction with sensitive GT data:
        • Storage encryption
        • Transmission encryption
        • Password protection
        • Data backup
        • Secure data/drive disposal

[1] The complete list of cloud security requirements for sensitive data are located in the Georgia Tech Data Protection Safeguards: http://b.gatech.edu/dps. Contact GT CyberSecurity if assistance is needed with security issues: ask@security.gatech.edu