Software Security Review

If an instructor wishes to utilize software or technology service in their course for which the University does not have a site license, the software must be reviewed through a required risk management process. This process applies to all software and services of any dollar value, even if the students purchase the software or if the product is free.

Why are privacy and security reviews required when working with a vendor?

The University of Connecticut relies on partnerships with vendors to conduct business. At times, we may need to provide vendors with confidential or protected information, including FERPA-protected data such as grades. These reviews are meant to protect the institution and its data from security breaches, improper use of University data, and to ensure appropriate handling of data at contract termination.

What information is frequently shared in educational technology tools that need to be protected?

A variety of FERPA-protected data are commonly stored in educational technology tools, including grades, test/assignment scores, and courses taken. Whenever a software tool has access to FERPA-protected data, it is allowing private data to be seen by a company outside of UConn. As a university, it is our responsibility to ensure this data is protected. Having a privacy agreement in place with these companies is one way that UConn ensures the protection of FERPA-protected data.

How is a privacy and security review of a vendor triggered? 

The process starts when an individual or department creates a requisition within HuskyBuy for a software or technology service purchase, even if there is no cost associated with acquiring the product/platform. The requester must complete the Software and IT Services Form. A representative from the requesting department (usually the administrative personnel who handles purchasing, but this could also be faculty or staff) would submit a zero-cost requisition from HuskyBuy. The department will identify if the software or technology service stores any FERPA-protected data or requires integration or data feeds from existing UConn datasets. If it does store FERPA-protected data or integrates, the department must complete the Security Vendor Review Request form.

Often ITS becomes aware of the use of an educational software product when an instructor asks for an LTI to be added to HuskyCT. When this request is made, ITS checks to find out of the instructor has ensured that a privacy agreement is in place. Often it is not, so the agreement must be obtained prior to the LTI placement. This is done by the instructor’s department by putting in the zero-cost requisition and completing the Software and IT Services Form. This is done even if the product is paid for by the students or is free as the zero-cost requisition is simply triggering the request for review.

Once the Security Vendor Review Request is submitted, Procurement will review the product to determine if it contains FERPA-protected data. If it does not, there is no need for an agreement. If it does, Procurement will contact the company to start to process of getting them to sign the privacy agreement.

Who completes privacy and security reviews? 

Privacy and Security staff in Procurement work with the vendor to complete assessments. Staff then can work to analyze responses, detect and work toward resolving any privacy or security risks.

How long does it take for privacy and security reviews to be completed? 

In general, Privacy and Security can launch review assessments within a few days. However, completion of the assessment will largely depend on the vendor’s cooperation, and any level of risk detected. It may take a couple of weeks for appropriate reviews to be completed.