New Application Vendor Process
The vendor should be able answer these questions:
Can you provide a Voluntary Product Accessibility Template (VPAT)? If not, how do you address Accessibility concerns?
Can you provide your Privacy, Security, and Data Retention policies?
Can you provide a Higher Education Community Vendor Assessment Tool (HECVAT) assessment?
Do you support Single Sign-On (SSO), and if so, what methods do you support?
Is this application installed by the user, hosted by the vendor, or Software-as-a-Service (SaaS)? Where are your servers hosted?
How is the product licensed?
If this system will track European students, does it comply with GDPR?
Can the vendor system automatically purge data based on a document retention policy (5 years, 7 years, etc)?
More About These Requirements..
Privacy, Security, Data Retention
The vendor should be able to provide their publicly-posted privacy and security policies. We are obligated by state and federal law to protect personally identifying information and student records, and the vendor should be able to describe how it protects this data, who it shares it with, how long it retains it, and how it protects it against business interruptions.
In addition, they should be able to explain how they would respond to a documentation hold request in the case of litigation.
ITS policy requires that we use SSO whenever it available because it is a security best practice and provides a superior user experience.
The vendor should be able to provide a list of supported SSO methods (SAML, InCommon Federation, OAuth, etc.) and configuration instructions for ITS to use during implementation.
The vendor should be able to describe where and how this application will run, and provide a Business Continuity plan in case of a natural disaster or other business-impacting event. Here are some ways applications are hosted:
On-Premise: the vendor provides software that we (ITS) will install and run.
Hosted: the vendor installs and runs the software on their equipment, but ITS maintains it
Software-as-a-Service (SaaS): All functions are performed by the vendor. This is the most common version of Application Hosting.
What kind of data needs to be exchanged between this new application and other campus systems, such as Banner?
What information needs to be exchanged in to or out of this system from Eckerd's Student Information, Customer Resource Manager, or Enterprise Resource Planning systems?
What transport mechanism will be used (examples: scp, sftp, csv files, restFUL services)?