We have a list of question that we (the dept. buying the software) fill out based on our own reading of the contract/interaction with the vendor. Those include things like:
- Does Lehigh retain all rights to our and our customer data?
- Can we access and remove all of our data?
- Is FERPA in scope?
- Is HIPAA in scope?
- Is GLBA in scope
- Are they willing to submit a HECVAT survey?
- Does the data leave the United States?
- Is encryption enforced at rest and in transit?
- Are data security controls spelled out in the contract? SOC2?
- Do we have the ability to audit or view an independent audit of these controls?
- Are are they required in contract to follow their security policy?
So, our legal/IT folks certainly ask for specific information, but none of these things are
required for
every piece of software we buy/vendor we use. It really comes down to risk assessment. We'd be (and have been) a lot more strenuous on a full CRM system handling all donor data/financials then we would be a system that was just meant to hold constituent emails/names.
So, in short, we certainly try to get ask much security info as we can, but it's not a requirement, just a part of the decision making process.
I see that you're not in HE, but it still may be worth looking into something like
HECVAT that's kind of a standard survey a vendor could use across many clients, rather than having them fill out a bespoke survey for each client.
Good luck.
Sean
------------------------------
Sean Shappell
Asst. Vice President, Information Services
Lehigh University
ses211@lehigh.edu------------------------------