Technology Security Assessment
We Help You Choose Compliant, Compatible Technology
- When is a Technology Security Assessment Necessary?
Department purchases a new technology
- Requisition – Materials Management submits the assessment request.
- ProCard – The department submits the assessment request.
- Department already owns a technology, and…
- …the technology has never been assessed. The department submits the assessment request.
- …the technology’s use case has altered, and a re-assessment is necessary. Cloud-based solutions utilizing sensitive data are reviewed ANNUALLY or during renewal cycle. The department submits the assessment request.
- Additional guidance for ONLINE INSTRUCTIONAL TOOLS is found: www.ecu.edu/onlinetools/
- Department is contemplating a software purchase (department submits the assessment request)
What Information Do You Need?
Required information for a cloud-based solution:
- Vendor’s geographic location or third-party data center
- Vendor’s (or third party’s) security policy
- Authentication process and user login URL
- The software’s auditing capabilities
- Username and password configuration including encryption methods
- Data encryption details in both transit and storage
- Your Business Continuity Plan if the software/application is unavailable
- Hosting entity’s Disaster Recovery Plan
- Hosting entity’s report or letter certifying a successful SSAE16 or SOC report issued by a credentialed auditing firm within the last year
Required information for a hosted, onsite solution:
- Authentication process
- Software’s auditing capabilities
- Data storage location
- Username and password configuration plus encryption methods
- Your Business Continuity Plan if the product is unavailable
For information on the software assessment workflow, visit the project office website.