In our last blog post, we looked at some best practices in user authentication for academic institutions. The tips presented were all steps schools can take on their own to improve data security and protect personally identifiable information (PII).
But schools must consider more than their own systems and policies when it comes to data security. Colleges and universities work with many digital service providers. To truly safeguard student, staff, and faculty PII, institutions must choose the providers they work with very carefully.
Here are a few things academic institutions should look for – and some red flags to avoid – when assessing service providers’ ability to protect PII.
What to Look For
Our last post discussed why schools should use single sign-on (SSO) to authenticate users for access to resources. For the same reasons, institutions should seek vendors who support their SSO method of choice, be it Shibboleth, Active Directory Federation Services (ADFS), or another.
Look for service providers who incorporate security and privacy by design into their applications. Research what compliance certifications prospective vendors have. For example, do they comply with privacy laws like the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA)? Do they adhere to the latest Web Content Accessibility Guidelines (WCAG)?
There are many other things to look for when assessing service providers. For example, vendors that offer end-user support and account management can free up IT resources. But a service provider’s ability to safeguard user data should be the top consideration.
What to Avoid
A study by Me2B found that 60% of apps used by academic institutions share student data with high-risk or unvetted parties. This statistic should scare schools as well as students. Because with strict privacy laws like the GDPR and CCPA proliferating around the world, institutions that mishandle students’ PII (or work with organizations that do) could face harsh fines for noncompliance.
As a rule, academic institutions should be wary of any service provider with a business model predicated on the sale of user data. This standard should apply not only to prospective vendors going forward, but in reassessing current partnerships as well.
Institutions should also avoid vendors that use technologies and practices that increase the risk of student data being unintentionally compromised. This includes service providers that don’t support SSO, as other authentication methods require the creation of multiple accounts and the sharing of credentials with outside parties – all of which increases the odds of data being compromised in a breach.
How to Assess
These are the traits that schools should look for (and steer away from) when assessing potential service providers. But how can institutions determine which vendors have these traits?
Fortunately, there’s a tool to help schools make this determination. The Higher Education Community Vendor Assessment Toolkit (HECVAT) is a questionnaire template designed specifically for colleges and universities to assess potential vendors’ risk level and ability to ensure data security. For more details about how this works, check out our earlier blog on the importance of HECVAT.
Having vendors complete this kind of questionnaire should be a baked-in part of every institution’s procurement process. This will help schools separate the vendors capable of protecting PII from those that may not be.
Secure and Compliant Software Management
Watch how Kivuto Cloud enables academic institutions to manage and distribute digital resources more securely.