Aims Vendor Security Risk Assessment

The Aims Vendor Security Risk Assessment (AVSRA) is used in conjunction with Higher Education Community Vendor Assessment Toolkit (HECVAT) to assess the risk of current and prospective technologies that access, collect, process, or maintain institutional data. The College evaluates submissions based on all applicable security and privacy laws and regulations as well as College policy/procedure. Please note that College data is NOT permitted to be shared with third-party services until the AVSRA has been approved by all reviewing parties. Questions? Please email AVSRA@aims.edu

Vendor Name*

Product Name*

Service Delivery Method*

Select

Because 'Other' was selected, please provide a description of the product or service*

Vendor Contact Name*

Vendor Contact Title*

Vendor Contact Email*

Vendor Contact Phone Number

Please provide a detailed description of the product or service.*

Describe all the types of data that will be collected, created, received, stored, accessed, processed, transmitted, hosted or otherwise managed.*

Do you handle data in a FERPA compliant manner?*

Select

Is platform accessibility documented?*

Yes

Accessibility supporting documentation

Aims Contact Email Address*

Enter the email address of your contact at Aims Community College

HECVAT: Cloud hosted service

Aims Community College is among hundreds of higher education institutions that rely on the Higher Education Community Vendor Assessment Toolkit (HECVAT) for assessing the potential risk of current and prospective third-party vendors. The HECVAT must be completed by the vendor and submitted to the college for review. College data is NOT permitted to be shared with third-party services until the Aims Vendor Security Risk Assessment has been approved by all reviewing parties. Which HECVAT needs to be completed? Use the Data Classification examples below to determine the classification level of the data that will be shared with the third-party service. ►If Confidential data will be used by the product or service, please complete the 'FULL' version. ►If Internal data will be used by the product or service, please complete the 'LITE' version. The HECVAT can be downloaded at https://library.educause.edu/resources/2020/4/higher-education-community-vendor-assessment-toolkit

HECVAT: Vendor supported software

HECVAT: Open-source software

Aims Community College is among hundreds of higher education institutions that rely on the Higher Education Community Vendor Assessment Toolkit (HECVAT) for assessing the potential risk of current and prospective third-party vendors. While this tool is important to the college for assessing potential risk, we recognize the challenge that exists with open-source solutions as it pertains to completing the HECVAT. If the open-source solution is supported by a vendor: The vendor must complete the ‘ON-PREMISE’ HECVAT which can be found here: https://library.educause.edu/resources/2020/4/higher-education-community-vendor-assessment-toolkit If the open-source solution is not supported by a vendor: The open-source solution will be assessed based on public information. College data is NOT permitted to be shared with third-party services until the Aims Vendor Security Risk Assessment has been approved by all reviewing parties.

HECVAT Upload

Drag and drop files here or

Data Classification Level Examples

Confidential ►Personally Identifiable Information (PII) ►FERPA-protected data (non-directory information) ►Student or employee ID number in combination with a first name or first initial and last name ►Payment card data subject to PCI DSS ►Data protected by the Gramm–Leach–Bliley Act (GLBA) ►Social security number ►Date of Birth ►Driver's License/State ID Number ►Bank/Financial Account Number ►Credit/Debit Card Number ►Visa/Passport Number ►Donor contact information and non-public gift information ►Passwords and PINs ►Non-disclosure agreements (NDA) Internal ►Student and employee data not containing Confidential elements ►Non-public policies, manuals, and contracts ►Internal memos and email, non-public reports, budgets, and plans ►Financial transactions not including Confidential data ►Engineering, design, and operational information regarding infrastructure Public ►Faculty/Staff directory data ►FERPA directory data ►Campus maps ►Public-facing websites ►Policy and procedure manuals designated by the owner as public ►Job postings ►Information in the public domain

Send me a copy of my responses

Privacy Notice|Report Abuse

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.