Are you a student or faculty member? Visit OnTheHub for discounted software and support or Texidium for eText support.

Close Button

What Schools Should Look For (and Avoid) in Potential Service Providers

Kumiko Saito
June 23, 2021
Digital Service Providers

In our last blog post, we looked at some best practices in user authentication for academic institutions. The tips presented were all steps schools can take on their own to improve data security and protect personally identifiable information (PII).

But schools must consider more than their own systems and policies when it comes to data security. Colleges and universities work with many digital service providers. To truly safeguard student, staff, and faculty PII, institutions must choose the providers they work with very carefully.

Here are a few things academic institutions should look for – and some red flags to avoid – when assessing service providers’ ability to protect PII.

What to Look For

Our last post discussed why schools should use single sign-on (SSO) to authenticate users for access to resources. For the same reasons, institutions should seek vendors who support their SSO method of choice, be it Shibboleth, Active Directory Federation Services (ADFS), or another.

Look for service providers who incorporate security and privacy by design into their applications. Research what compliance certifications prospective vendors have. For example, do they comply with privacy laws like the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA)? Do they adhere to the latest Web Content Accessibility Guidelines (WCAG)?

There are many other things to look for when assessing service providers. For example, vendors that offer end-user support and account management can free up IT resources. But a service provider’s ability to safeguard user data should be the top consideration.

What to Avoid

A study by Me2B found that 60% of apps used by academic institutions share student data with high-risk or unvetted parties. This statistic should scare schools as well as students. Because with strict privacy laws like the GDPR and CCPA proliferating around the world, institutions that mishandle students’ PII (or work with organizations that do) could face harsh fines for noncompliance.

As a rule, academic institutions should be wary of any service provider with a business model predicated on the sale of user data. This standard should apply not only to prospective vendors going forward, but in reassessing current partnerships as well.

Institutions should also avoid vendors that use technologies and practices that increase the risk of student data being unintentionally compromised. This includes service providers that don’t support SSO, as other authentication methods require the creation of multiple accounts and the sharing of credentials with outside parties – all of which increases the odds of data being compromised in a breach.

How to Assess

These are the traits that schools should look for (and steer away from) when assessing potential service providers. But how can institutions determine which vendors have these traits?

Fortunately, there’s a tool to help schools make this determination. The Higher Education Community Vendor Assessment Toolkit (HECVAT) is a questionnaire template designed specifically for colleges and universities to assess potential vendors’ risk level and ability to ensure data security. For more details about how this works, check out our earlier blog on the importance of HECVAT.

Having vendors complete this kind of questionnaire should be a baked-in part of every institution’s procurement process. This will help schools separate the vendors capable of protecting PII from those that may not be.

Kivuto Cloud:
Secure and Compliant Software Management

Watch how Kivuto Cloud enables academic institutions to manage and distribute digital resources more securely.

Kumiko Saito
June 23, 2021

No Comments

Leave A Comment

Your email address will not be published. Privacy Policy

Looking To Get Started?

How can Kivuto help your institution? Click the button below to start a conversation with one of our solution experts.

Privacy Preferences

When you visit our website, it may store information through your browser from specific services, usually in the form of cookies. Here you can change your privacy preferences. It is worth noting that blocking some types of cookies may impact your experience on our website and the services we are able to offer.

Click to enable/disable Google Analytics tracking code.
Click to enable/disable Google Fonts.
Click to enable/disable Google Maps.
Click to enable/disable video embeds.

To ensure the best possible experience, this website uses cookies. Click the button below to agree to the use of cookies.