University schools, departments and business units sometimes contract for data services with outside parties or service providers; of concern are those circumstances where service providers process or hold University data. While Duke University has taken steps to help ensure that its data is protected, service providers must also exercise appropriate controls to minimize the risk of exposing the data to potential unauthorized access and loss. (Note: Duke Health requires a separate review process. Initiating a DHTS Demand review is done through ServiceNow (SNow) in the Service Request Catalog (SRC).)
Duke provides a Service Provider Security Assessment to:
- Establish communications and promote constructive dialogue between Duke and the potential service provider
- Help identify business, technical, security, compliance, legal, and other control factors
- Determine the level of risk inherent to the processing of data beyond the University's physical controls
A security assessment is required in all instances where:
- University data is shared with a service provider
- A service provider captures data for subsequent use by the University
Requestors
Performing an assessment
The school, department, or business unit provides the service provider with the links to the instructions for completing the security assessment (this page) and to the security assessment document. Service providers are encouraged to respond fully to the questions and return the completed assessment and any supporting materials to the Duke University unit contact they are working with. The unit contact should submit all documents and a description of how the software will be used to the IT Security Office (security@duke.edu) for review and scoring. The results of the review are provided to the requesting school or business unit, the Office of General Counsel, and Procurement Services. Please note this process can take up to two weeks.
Protected data
Where the University's "Sensitive" and/or "Restricted" data is held or processed by a service provider, there is a potentially higher risk where unauthorized access or loss occurs. The classification of your data will determine what additional documentation is required with your contract. For more information see: Duke's Data Classification Standard.
Required forms
As part of the risk assessment process, vendors must submit the appropriate Higher Education Community Vendor Assessment Tool (HECVAT) with supporting documentation and the Shibboleth Readiness Profile:
- Complete one of the following:
- A SOC 2 Type 2 report performed within the past two years for the vendor themselves (not a cloud service provider such as Amazon Web Services or Microsoft Azure), plus a HECVAT-Lite. The submitted HECVAT-Lite should be version 3.04 or higher, and the Analyst Report worksheet must be present as part of the Excel spreadsheet submitted. No other file format will be accepted.
- A HECVAT-Full (learn more about the Higher Education Community Vendor Assessment Toolkit (HECVAT)). The submitted HECVAT-Full should be version 3.04 or higher, and the Analyst Report worksheet must be present as part of the Excel spreadsheet submitted. No other file format will be accepted.
- Shibboleth Readiness Profile. Duke requires SAML 2.0 authentication to securely integrate with Duke’s Shibboleth authentication service for single sign-on. Vendors must complete this form to determine the level of effort required to integrate a vendor product with Duke’s Shibboleth environment.
Instructions for Vendors
Please answer all questions fully.
- Read the HECVAT Instruction Worksheet first to understand the terminology used.
- In the HECVAT, make sure that the Additional Information entry fully answers what is noted as Guidance for each question.
- The HECVAT has several questions that request additional documentation, please make sure these items are returned with your completed HECVAT and the Shibboleth Readiness Profile.
Use of third-party cloud hosting
If the Service Provider uses a third party such as Amazon Web Services or Microsoft Azure, the Service Provider will need to work with that third party to answer questions specific to how and where Duke University data is accessed and/or stored. Answers of N/A are not appropriate for questions affected by such a hosting arrangement.
Please note: If you are a service provider, please answer the questions thoroughly and send the completed assessment and any supporting materials to the Duke University unit that you are collaborating with. The unit will forward your documents and a description of how the software will be used to the IT Security Office (security@duke.edu) for evaluation and scoring. The University's decision regarding which providers to select is based, in part, on the information included in your response.
Accordingly, should our discussions proceed to the point of contract negotiation, Duke University will expect you to (i) warrant that the services you provide will be in substantial conformity with the information provided in the response to the Service Provider Security Assessment form; (ii) inform Duke promptly of any material variation in operations from that reflected in your response; and (iii) agree that any material deficiency in operations from those as described in your response will be deemed a material breach.
Please answer all questions fully.
- Read the HECVAT Instruction Worksheet first to understand the terminology used.
- In the HECVAT, make sure that the Additional Information entry fully answers what is noted as Guidance for each question.
- The HECVAT has several questions that request additional documentation, please make sure these items are returned with your completed HECVAT and the Shibboleth Readiness Profile.