IT Review Contact: For assistance in reviewing the IT implications of the cloud software or service, please contact firstname.lastname@example.org.
Data Security & Incident Response
Transport Layer: Data-in-motion protection
- How does the vendor transfer data to Western?
- How does the vendor transfer data from Western?
- Can vendor show evidence of its vulnerability management program?
- How often does the vendor scan for vulnerabilities on their network and applications?
- Can Western conduct an external vulnerability assessment on the vendor network, and if so, how?
- What is the vendor's vulnerability remediation process?
Ensure that the vendor's incident response procedures do not violate your own incident response requirements.
- What authentication method does the software support?
- Does the vendor support SSO and If so, which standards?
- Does vendor supports Canadian Access Federation?
Explain the authentication workflow
- Does the vendor provide its own user accounts?
- How does the vendor manage user IDs and access credentials (Shibboleth, Kerberos, CAS)?
- How does the vendor handle the provisioning and de-provisioning of accounts?
Western currently supports Shibboleth (SAML2) and CAS as SSO standards when UWO credentials are to be used.
Western user's password should never be stored or transmitted to the cloud service provider.
Access to Western's LDAP/LDAPS is not supported from off campus.
Compliance and Integrity
- What audit trails are in place so the vendor can monitor data access?
- Can Western get a copy of audit reports upon request?
- Does the vendor have Disaster Recovery or Business Continuity planning documents?
- If so, can we review them? Can we do a Business Continuity audit?
- Where are vendor's recovery data centers located?
- How quickly could vendor restore Western's data from a backup-up if vendor suffered a major data loss?
- What are vendor's policies with respect to vendor's employees or organization accessing Western's data either in an aggregate form or otherwise?
Ensure that the procedures are at least as robust as your own.
Obtain a copy of vendor's security policy for review if possible.
- What level of up time does vendor guarantee in the contract?
- How does Western get a service interruption notification?
- What is vendor's peak load, and does vendor have enough capacity for such a load?
- What is the network bandwidth requirement?
The more nines the better (0.9-> 0.9999).
Vendor should provide downtime notice and you should get notified.
You should consult with your network service providers (Western or external) to ensure such requirements can be met.
- What are the customer support hours?
- Do you provide notice of material reduction in functionality?
Published on and maintained in Cascade CMS.