Higher Education Cloud Vendor Assessment Tool - Lite

GNRL-01 through GNRL-06; populated by Institution

GNRL-01 Institution Department San Francisco State University, College
GNRL-02 Institution Department Primary Campus San Francisco
GNRL-03 Institution Department Code Institution Department Code
GNRL-04 Institution Department Contact Name Susanna Jones
GNRL-05 Institution Department Contact Email susjones@sfsu.edu
GNRL-06 Institution Department Contact Phone Number 415-338-6908

GNRL-07 through GNRL-14; populated by Vendor

GNRL-07 Vendor Name Shearwater International Inc.
GNRL-08 Product Name Mentor Collective
Mentor Collective provides a web applic
GNRL-09 Product Description
access aggregate- and individual-level d

GNRL-10 Web Link to Product Privacy Notice Please See: Updated Privacy Policy.pdf

GNRL-11 Vendor Contact Name Emma Baumgartner

GNRL-12 Vendor Contact Title Manager of Finance & Operations
GNRL-13 Vendor Contact Email emma@mentorcollective.org
GNRL-14 Vendor Contact Phone Number 973-349-6825

GNRL-15 and GNRL-16; populated by Institution Security Office

GNRL-15 Campus Security Analyst/Engineer Campus Security Analyst/Engineer Nam
GNRL-16 Assessment Contact ticket#@yourdomain.edu

000000 1
Documentation Vendor Answers

DOCU-01 Have you undergone a SSAE 16 audit? No

DOCU-02 Have you completed the Cloud Security Alliance (CSA) self assessment or CAIQ? No

DOCU-03 Have you received the Cloud Security Alliance STAR certification? No

Do you conform with a specific industry standard security framework? (e.g. NIST
DOCU-04 No
Special Publication 800-53, ISO 27001, etc.)

DOCU-05 Are you compliant with FISMA standards (indicate at what level)? Yes

DOCU-06 Does your organization have a data privacy policy? Yes

Company Overview Vendor Answers

Describe your organization’s business background and ownership structure,

COMP-01 Privately owned; no parent or subsidiar
including all parent and subsidiary relationships.

COMP-02 Describe how long your organization has conducted business in this product area. Beginning in 2015

000000 2
 How many higher education, commercial customers and government customers
COMP-03 do you serve in North America? Please provide a higher education customer We are currently running 38 higher edu
reference if available.

Please explain in detail any involvement in business-related litigation in the last

COMP-04 five years by your organization, its management, or the staff that will be N/A
providing the administrative services.

Our engineering team serves as our info

Describe the structure and size of your Security Office and overall information
COMP-05 that of our engineering organization. W
security staff. (e.g. Admin, Engineering, QA/Compliance, etc.)
engineering.

Our product management and custome

Describe the structure and size of your Software and System Development
COMP-06 of product, four customer support assoc
teams. (e.g. Customer Support, Implementation, Product Management, etc.)
customer success.

Regarding the physical environment, th

Use this area to share information about your environment that will assist those
COMP-07 given to employees. We do not store ha
who are evaluating you company data security safeguards.
authentication on all computers.

Application/Service Security Vendor Answers

Can user access be customized to allow read-only access, update access, or no-
HLAP-01 Yes
access to specific types of records, record attributes, components, or functions?

HLAP-02 Describe or provide a reference to how user security administration is performed? Users can access certain levels of prote

000000 3
 Describe or provide a reference to the controls that are in place to secure their
HLAP-03 Data is stored in Postgres, where it is e
remote environment and connection to institution's data.
encryption. Our services are only acces

Can you provide overall system and/or application architecture diagrams

HLAP-04 including a full description of the data communications architecture for all Yes
components of the system?

HLAP-05 Does the system provide data input validation and error messages? Yes

HLAP-06 Do you employ a single-tenant or multi-tenant environment? Multiple-tenant

Authentication, Authorization, and Accounting Vendor Answers

Can you enforce password/passphrase complexity requirements [provided by the

HLAA-01 Yes
institution]?

Describe or provide a reference to the types of authentication, including We invite participants to create account
HLAA-02 standards-based single-sign-on (SSO, InCommon), that are supported by the institution. When creating accounts, par
web-based interface? security guidelines.

Describe or provide a reference to the authentication and authorization systems

HLAA-03 such as Active Directory, Kerberos (what version) or a institution centralized None
authorization service that work with your application.

000000 4
 Does the system (servers/infrastructure) support external authentication services
HLAA-04 No
(e.g. Active Directory, LDAP) in place of local authentication?

Does your system have the capability to log security/authorization changes as

well as user and administrator security (physical or electronic) events (e.g., login
HLAA-05 failures, access denied, changes accepted), and all requirements necessary to Yes
implement logging and monitoring on the system. Include information about
SIEM/log collector usage.

Business Continuity Plan Vendor Answers

Do you have a documented Business Continuity Plan (BCP)? If so, can it be

HLBC-01 No
shared?

HLBC-02 Is there a documented communication plan in your BCP for impacted clients? No

Are all components of the BCP reviewed at least annually and updated as needed
HLBC-03 No
to reflect change?

Does your organization conduct an annual test of relocating to this alternate site
HLBC-04 No
for business recovery purposes?

Change Management Vendor Answers

000000 5
HLCH-01 Do you have a Change Management Plan? If so, can it be shared? No

How and when will the Institution be notified of major changes to your We will notify the institution of any such
HLCH-02
environment that could impact our security posture? changes.

Do you have documented procedures on how security risks are mitigated until
HLCH-03 Yes
patches can be applied? If so, can it be shared?

Do procedures exist to provide that emergency changes are documented and

HLCH-04 Yes
authorized (including after the fact approval)? If so, can it be shared?

Data Vendor Answers

HLDA-01 Is institution data physically and logically separated from that of other customers. Yes

Is sensitive data encrypted in transport and storage (e.g. disk encryption and at-
HLDA-02 Yes
rest)?

Do backups containing institution data ever leave the United States of America
HLDA-03 No
either physically or via network routing?

Describe or provide a reference to your media handling process, that is

HLDA-04 documented and currently implemented, including end-of-life, repurposing, and Our provider Heroku uses industry-stan
data sanitization procedures.

HLDA-05 Is any institution data visible in system administration modules/tools? Yes

000000 6
Database Vendor Answers

HLDB-01 Does the database support encryption of specified data elements in storage? Yes

HLDB-02 Do you currently use encryption in your database? Yes

Datacenter Vendor Answers

List all data centers and their cities, states (provinces), and countries where
Our servers are hosted in the cloud. We
HLDC-01 institution data will be stored (including within the United States). Does your
own data center.
company own these data centers?

Does your company own the physical data center where institution data will
HLDC-02 No
reside? If so, do these servers reside in a co-located data center?

HLDC-03 Does the hosting provider have a SOC 2 Type 2 report available? Yes

Does the physical barrier fully enclose the physical space preventing unauthorized
HLDC-04 Yes
physical contact with any of your devices?

Disaster Recovery Plan Vendor Answers

000000 7
HLDR-01 Do you have a Disaster Recovery Plan (DRP)? If so, can it be shared? Yes

Are any disaster recovery locations outside the United States? If so, please
HLDR-02 No
provide the locations.

Are all components of the DRP reviewed at least annually and updated as needed
HLDR-03 Yes
to reflect change?

Firewalls, IDS, IPS, and Networking Vendor Answers

Are you utilizing a web application firewall (WAF) and / or a stateful packet
HLFI-01 No
inspection (SPI) firewall?

Do you have a documented policy for firewall change requests? If so, can it be
HLFI-02 No
shared?

Describe or provide a reference to any other safeguards used to monitor for

HLFI-03 We manually monitor our logs for unusu
attacks?

HLFI-04 Do you monitor for intrusions on a 24x7x365 basis? Yes

Physical Security Vendor Answers

Does your organization have physical security controls and policies in place? If
HLPH-01 Yes
so, can it be shared?

000000 8
HLPH-02 Are employees allowed to take home customer data in any form? Yes

Policies, Procedures, and Processes Vendor Answers

Can you share the org chart, mission statement and policies for your information
HLPP-01 Yes
security unit?

Are information security principles designed into the product and / or SDLC life
HLPP-02 Yes
cycle?

HLPP-03 Do you have a formal incident response plan? If so, can it be shared? Yes

HLPP-04 Do you have a documented information security policy? If so, can it be shared? Yes

Systems Management & Configuration Vendor Answers

Are systems that support this service managed via a separate management
HLSY-01 No
network?

Can you provide a general summary of your systems management and

HLSY-02 configuration strategy, including servers, appliances, and mobile devices Yes
(company and employee owned).

000000 9
Vulnerability Scanning Vendor Answers

Have your systems and applications had a third party security assessment
HLVU-01 Yes
completed in the last year? If so, can the results be provided?

Are your applications scanned for vulnerabilities prior to new releases? If so, can
HLVU-02 Yes
the results be provided?

000000 10
 Version 1.06

e University, College of Health and Social Sciences

ment Code

ational Inc.

provides a web application where mentors and students can access content to support their mentorship, and educators can
and individual-level data about the mentorships in their program.

ed Privacy Policy.pdf

er
e & Operations

ollective.org

nalyst/Engineer Name
ain.edu

000000 11
 Additional Information Guidance

Describe any plans to undergo a SSAE 16

audit.

Describe any plans to complete the CSA self

assessment or CAIQ.

Describe any plans to obtain CSA STAR

certification.

Describe any plans to conform to an

industry standard security framework.

Indicate level, agency issuing ATO, and

necessary details on ATO. If using
FEDRamp, please indicate the supporting
details.
Provide your data privacy document upon
See: Information Security Policy.pdf
submission.

Additional Information Guidance

Include circumstances that may involve off-

o parent or subsidiary relationships
shoring or multi-national agreements.

000000 12
unning 38 higher education programs

am serves as our information security unit; hence the org chart is identical to
ering organization. We have three full-time engineers and a head of product &

gement and customer support teams consist of two product managers, a head
stomer support associates, two student success managers, and a head of

sical environment, the Mentor Collective office is secured with passkeys only
s. We do not store hard copies of documents. Employees use two-factor
all computers.

Additional Information Guidance

If available, submit documentation and/or

web resources.

ertain levels of protected resources depending on their privilege level

000000 13
ostgres, where it is encrypted at rest with AES-256, block-level storage
rvices are only accessible over HTTPS. Credentials are protected with 2FA.

Please see: Architecture Diagram.pdf

If available, submit documentation and/or

web resources.

Separation is achieved through strict controls at the application layer,

which are verified by automated tests that run at each deploy.

Additional Information Guidance

nts to create accounts based on whether they are identified by the partner
Include user-end and adminstrative
reating accounts, participants set up a password with standard password
authentication types.
.

Include user-end and adminstrative

authorization types.

000000 14
 Additional Information Guidance

This can be created.

This can be created.

Additional Information Guidance

000000 15
 This can be created.

nstitution of any such major environmental changes via email at the time of the

See: Patch Documentation.pdf

See: Patch Documentation.pdf Provide a detailed description.

Additional Information Guidance

Our services use HTTPs to encrypt data in transport and our databases
Provide a detailed description.
use AES-256 encryption at rest.

ku uses industry-standard procedures around media handling.

Authorized employees are able to view participant names and email

addresses.

000000 16
 Additional Information Guidance

We hash user passwords, but otherwise rely on block-level encryption Describe the type of encryption that is
for our databases, as discussed above. supported.

Yes, we use AES-256 encryption as discussed above. Describe how encryption is leveraged.

Additional Information Guidance

sted in the cloud. We use Amazon Web Services (AWS) and do not have our

Provide a detailed description of where

university data will reside.

Obtain the report if possible and add it to

your submission.

Additional Information Guidance

000000 17
 We regularly update our disaster recovery processes in accordance
Describe that process.
with changes to our infrastructure

Additional Information Guidance

tor our logs for unusual network traffic.

Provide a brief summary of this activity.

Additional Information Guidance

All data is encrypted and password protected with two-factor

authentication. Two-factor authentication, in combination with
strong randomly-generated passwords, is used to protect our
Heroku and AWS accounts.

000000 18
Some employees bring computers home but if they have downloaded
any data they are required to encrypt their hard drive and Provide a detailed description.
permanently delete the data when they finish using it.

Additional Information Guidance

Our engineering team serves as our information security unit; hence
the org chart is identical to that of our engineering organization. Our
mission statement with regard to information security work is to do
well by the trust that universities, alumni and students place in us by
providing us with their data.
Developers are responsible for information security and it is a regular
Provide a brief description.
part of our SDLC

Developers escalate security incidents when they are encountered as Provide a brief summary of your incident
part of monitoring. See: Patch Documentation.pdf response plan.

Provide a brief description or a copy of the

See: Information Security Policy.pdf
document.

Additional Information Guidance

Describe any compensating controls.

We use Heroku's industry-standard systems configuration tools.

000000 19
 Additional Information Guidance

We performed a vulnerability test using Tinfoil Security software ran by a

third party cyber-security consultant. Our platform was considered 'mostly
safe', with "no glaring vulnerabilities". The test yielded minor
recommendations in terms of improving our cyber security that we will be
following up on over the upcoming weeks and months.
Our engineering team addresses security vulnerabilities as part of
code review, but we do not incorporate automated scanning into this Provide a brief description.
review process at each release.

000000 20
000000 21
APPL-04

APPL-05

000000 22
APPL-08

APPL-12

APPL-20

APPL-21

AAAI-02

AAAI-05

AAAI-12

000000 23
AAAI-14

AAAI-18

BCPL-01

BCPL-05

BCPL-06

BCPL-11

000000 24
CHNG-02

CHNG-03

CHNG-13

CHNG-15

DATA-02

DATA-04

DATA-25

DATA-26

DATA-31

000000 25
DBAS-01

DBAS-02

DCTR-10

DCTR-01

DCTR-02

DCTR-06

000000 26
DRPL-01

DRPL-04

DRPL-13

FIDP-01

FIDP-04

FIDP-09

FIDP-10

PHYS-01

000000 27
PHYS-02

PPPR-01

PPPR-08

PPPR-11

PPPR-18

SYST-01

SYST-04

000000 28
VULN-02

VULN-03

000000 29
Acknowledgments

The Higher Education Information Security Council Shared Assessments Working Group contributed
their vision and significant talents to the conception, creation, and completion of this resource.

Members that contributed to Phase II (2017) of this effort are:

Jon Allen, Baylor University
Samantha Birk, IMS Global Learning Consortium
Jeff Bohrer, IMS Global Learning Consortium
Sarah Braun, University of Colorado - Denver
David Cassada, University of California - Davis
Matthew Dalton, University of Massachusetts Amherst
Charles Escue, Indiana University
Joanna Grama, EDUCAUSE
Todd Herring, REN-ISAC
Kolin Hodgson, University of Notre Dame
Tom Horton, Cornell University
Leo Howell, North Carolina State University
Alex Jalso, West Virginia University
Nick Lewis, Internet2
Wyman Miles, Cornell University
Kim Milford, REN-ISAC
Valerie Vogel, EDUCAUSE

Members that contributed to Phase I (2016) of this effort are:

Jon Allen, Baylor University
John Bruggeman, Hebrew Union College, Jewish Institute of Religion
Charles Escue, Indiana University
Joanna Grama, EDUCAUSE
Karl Hassler, University of Delaware
Todd Herring, REN-ISAC
Nick Lewis, Internet2
Kim Milford, REN-ISAC
Craig Munson, Minnesota State Colleges & Universities
Mitch Parks, University of Idaho
Laura Raderman, Carnegie Mellon University
Charles Escue, Indiana University
Joanna Grama, EDUCAUSE
Karl Hassler, University of Delaware
Todd Herring, REN-ISAC
Nick Lewis, Internet2
Kim Milford, REN-ISAC
Craig Munson, Minnesota State Colleges & Universities
Mitch Parks, University of Idaho
Laura Raderman, Carnegie Mellon University
Valerie Vogel, EDUCAUSE