Services Security Checklist

Various services and products can help the Institute to deliver instruction, collaborate, and share information and ideas. While it can be very simple to buy a license for a product or create an account with a cloud service provider and start using their service, there are some things we need to consider to ensure we are meeting our obligations to our students and each other.

Before entering into an agreement with a vendor, even in the context of agreeing to an End User License Agreement for software you intend to use for Georgia Tech business, you should consider the following items:

• Consider the type of data to be stored, processed, and transmitted using the product or service:
  • Is this data subject to regulatory standards and/or protected by federal law?
    • Examples: FERPA, HIPAA, DFARS 252.204-7012, GDPR
  • Does the Institute consider this information to be sensitive?
    •  Georgia Tech Data Categories
• Have the vendor provide a completed HECVAT
  • To review general information about the HECVAT, please navigate to the EduCause HECVAT page here: EduCause HECVAT Information
    • We ask that vendors complete the Lite version of the HECVAT at minimum, which is located here: HECVAT Lite
• Send the HECVAT provided by the vendor to ask@security.gatech.edu, and include ‘HECVAT’ in the subject of the email.
  • List of HECVATs reviewed by the Cyber Security Governance, Risk, and Compliance Team
• Contact GT procurement and GT Legal to assist with purchasing the product or service:
  • purchasing.ask@business.gatech.edu
  • asklegal@gatech.edu
• Read research agreements to verify they allow the use of additional products or services to store, process, or transmit research data
• Verify the service agreement for the product or service provides the following guarantees:
  • Georgia Tech maintains sole ownership of our data
  • If the vendor is hosting our data:
    • They must notify Georgia Tech in the event of a data breach
    • Georgia Tech has the right to reclaim our data
    • Georgia Tech has the right to review independent audit reports or to audit the cloud service provider
    • If the service is a cloud service, ensure they have implemented the following security measures[1] if you are considering using the service in conjunction with sensitive GT data:
      • Storage encryption
      • Transmission encryption
      • Password protection
      • Data backup
      • Secure data/drive disposal

[1] The complete list of cloud security requirements for sensitive data are located in the Georgia Tech Data Protection Safeguards: http://b.gatech.edu/dps. Contact GT CyberSecurity if assistance is needed with security issues: ask@security.gatech.edu