University schools, departments and business units sometimes contract for data services with outside parties or service providers; of concern are those circumstances where service providers process or hold University data. While Duke University has taken steps to help ensure that its data is protected, service providers must also exercise appropriate controls to minimize the risk of exposing the data to potential unauthorized access and loss. (Note: Duke Health requires a separate review process. Initiating a DHTS Demand review is done through ServiceNow in the Service Request Catalog.)

Duke uses the EDUCAUSE Higher Education Community Evaluation Tool (HECVAT) to:

  • Establish communications and promote constructive dialogue between Duke and the potential service provider
  • Help identify business, technical, security, privacy, compliance, legal, and other control factors
  • Determine the level of risk inherent to the processing of data beyond the University's physical controls

A security assessment is required in all instances where:

  • University data is shared with a service provider
  • A service provider captures data for subsequent use by the University

Depending on the nature of the data additional reviews may be required by these entities:

  • Duke Privacy
  • E-Commerce
  • Web Accessibility
  • The Service Owner for existing Duke services like Box, M365, Canvas, and others that your platform may need integration with.

Completing the assessment

REQUESTORS

The school, department, or business unit provides the service provider with the link to this page. Service providers should respond fully to the questions and return the completed assessment and the supporting documentation it requests to the Duke University requestor they are working with.

The unit contact should submit all documents and a description of how the software will be used to the IT Security Office (security@duke.edu) for review and scoring. The results of the review are provided to the requesting school or business unit, the Office of General Counsel, and Procurement Services. Please note this process can take up to two weeks.

When providing the documents to the IT Security Office (ITSO) please provide an explanation of what Duke data will be processed by the platform, and what users will have access to the platform. If external Duke users will have access, please note who they are and why they need access.

Protected data

Where the University's "Sensitive" and/or "Restricted" data is held or processed by a service provider, there is a potentially higher risk should unauthorized access or loss occur. The classification of your data will determine what additional documentation is required with your contract. For more information see: Duke's Data Classification Standard

Required forms

As part of the risk assessment process, vendors must submit each of the following items:

  • Please complete and return the HECVAT 4.0 To learn more about the tool see: Higher Education Community Vendor Assessment Toolkit. This form must be returned as an Excel spreadsheet with all tabs intact. No other file format will be accepted. The only earlier version that can be accepted is version 3.06 Full.
  • If available, your company’s SOC 2 Type 2 report performed within the past two years, (not one for a cloud service provider such as Amazon Web Services or Microsoft Azure).
  • Shibboleth Readiness Profile. Duke requires SAML 2.0 authentication to securely integrate with Duke’s Shibboleth authentication service for single sign-on. Vendors must complete this form to determine the level of effort required to integrate a vendor product with Duke’s Shibboleth environment. This is a non-negotiable requirement for any platform where Duke students will be users.

Instructions for Vendors

  • Read the HECVAT Instruction Worksheet first to understand the terminology used. 
  • In the HECVAT, make sure that the Additional Information entry fully answers what is noted as Guidance for each question. 
  • The HECVAT has several questions that request additional documentation, please make sure these items are returned with your completed HECVAT and the Shibboleth Readiness Profile. Send these items to the Duke University unit contact that you are working with. They will forward your documents and a description of how the software will be used to the IT Security Office (security@duke.edu) for evaluation and scoring. The University's decision regarding which providers to select is based, in part, on the information included in your response.

Please note:

Should our discussion proceed to the point of contract negotiation, Duke university will expect you to (i) warrant that the services you provide will be in substantial conformity with the information provided in the response to the HECVAT for; (ii) inform Duke promptly of any material variation in operations from that reflected in your response; and (iii) agree that nay material deficiency in operations from those as described in your response will be deemed a material breach.

Use of third-party cloud hosting

If the Service Provider uses a third party such as Amazon Web Services or Microsoft Azure, the Service Provider will need to work with that third party to answer HECVAT questions specific to how and where Duke University data is accessed and/or stored. Answers of N/A are not appropriate for questions affected by such a hosting arrangement.