Cloud Services and Software Implementation Guidelines

A) Compliance Requirements for Technology Purchases

Critical Business Systems With PCI, FERPA, HIPAA, PII, GLBA

For any systems or cloud services hosting business or academic processes which in any way are involved with student or employee data, or otherwise require PCI, FERPA, GLBA, HIPAA and/or other regulatory compliance, one of the following sets of conditions must be fully completed by the requester and proposed provider, and approved by IT before purchasing the solution. This is a federal government requirement related to Title IV / GLBA compliance.

IT will assist where possible in guiding the requester and vendor through any questions they may have in this important regulatory compliance process and finding the most expedient path to a compliant solution.

You may submit the following information directly via email to ServiceDesk@letu.edu or email that same address requesting further consultation if needed as you prepare the information below.

1) HECVAT + LETU Cloud Guidelines

• LETU Guidelines for Implementing Cloud Applications (attached document)
  (These guidelines should be completed to the best of the provider's ability. They help LETU identify follow-up questions. It is okay to leave lines blank if the vendor has no response - we will let them know if that causes concerns for your business need. In some cases LETU may determine there is no need for the Cloud Guidelines to be directly completed by the vendor and will instead pass along a subset of questions to the LETU stakeholder requesting the approval.)
• HECVAT Full Form (EDUCAUSE-provided security and Business Continuity evaluation)
  https://library.educause.edu/resources/2020/4/higher-education-community-vendor-assessment-toolkit
• Provider contract must bind provider to honor applicable compliance regulations such as GLBA, FERPA, PCI and must assert that HECVAT will be kept up to date and an updated copy provided annually to LETU either automatically, or on request.
• For cloud providers, submission of Cloud Control Matrix (CCM) / Consensus Assessments Initiative Questionnaire (CAIQ) is strongly preferred and may be required for those not submitting TX-RAMP Lvl2 or SOC-2 documents below.
• All requirements under (B) General Purchasing Requirements below
  
  - or -

2) TX-RAMP Lvl 2 + LETU Cloud Guidance

• LETU Guidelines for Implementing Cloud Applications (attached document)
  (These guidelines should be completed to the best of the provider's ability. They help LETU identify follow-up questions. It is okay to leave lines blank if the vendor has no response - we will let them know if that causes concerns for your business need. In some cases LETU may determine there is no need for the Cloud Guidelines to be directly completed by the vendor and will instead pass along a subset of questions to the LETU stakeholder requesting the approval.)
• TX-RAMP Level 2 Certification for any solution storing or transmitting protected consumer/student information (TX-RAMP Certified Cloud Products)
  (TX-RAMP certification will typically eliminate a number of required questions from the LETU Guidelines document)
• Provider contract must bind provider to honor applicable compliance regulations such as GLBA, FERPA, PCI and must assert that TX-RAMP Lvl 2 will be kept up to date and an updated copy provided annually to LETU either automatically, or on request.
• For cloud providers, submission of Cloud Control Matrix (CCM) / Consensus Assessments Initiative Questionnaire (CAIQ) is strongly preferred.
• All requirements under (B) General Purchasing Requirements below
   

         - or - 

3) SOC-2 + LETU Cloud Guidance

• LETU Guidelines for Implementing Cloud Applications (attached document)
  (These guidelines should be completed to the best of the provider's ability. They help LETU identify follow-up questions. It is okay to leave lines blank if the vendor has no response - we will let them know if that causes concerns for your business need. In some cases LETU may determine there is no need for the Cloud Guidelines to be directly completed by the vendor and will instead pass along a subset of questions to the LETU stakeholder requesting the approval.)
• SOC-2 for any solution storing or transmitting protected consumer/student information
  (SOC-2 certification will typically eliminate a number of required questions from the LETU Guidelines document)
• Provider contract must bind provider to honor applicable compliance regulations such as GLBA, FERPA, PCI and must assert that SOC-2 will be kept up to date and an updated copy provided annually to LETU either automatically, or on request.
• For cloud providers, submission of Cloud Control Matrix (CCM) / Consensus Assessments Initiative Questionnaire (CAIQ) is strongly preferred.
• All requirements under (B) General Purchasing Requirements below

4) GLBA Self-Attestation

(Use of this approval path is non-preferred, it is documented to handle solutions which only handle certain types of non-regulated data, and in all cases options 1, 2 and 3 are to be preferred and option 4 used only where the above options are not possible. IT and any applicable Data guardians at LETU must approve use of this option for any vendor.)

• LETU Guidelines for Implementing Cloud Applications (attached document)

• All requirements under (B) General Purchasing Requirements below

• Satisfactory response to self-attestation letter as follows:
  The Department of Education has updated its requirements to reference and incorporate the FTC’s most current version of the “Standards for Safeguarding Customer Information” commonly known as the Safeguards Rule  - part of the Gramm-Leach-Bliley Act (GLBA) 
  
  The effective date for most of the changes to the Safeguards Rule which apply to DOE-regulated institutions receiving federal financial aid funding was June 9, 2023.
  
  As an institution we must document compliance with these regulations by collecting confirmation from any software vendors LETU uses to manage, store, or transmit student data that their products and services are either compliant with the requirements of the updated Title IV/GLBA safeguards rules – or exempted by reason of not handling regulated student data and if so receive a statement to that effect from the provider.
  
  The questions we need answered as part of that final compliance process are below.
  
  1.    Does your product transmit or store any data unique to specific current, former or prospective students including but not limited to any PII, FERPA, GLBA or other protected information? If so does it transmit this data, store this data, or both?
  2.    Does your solution enforce the use of MFA for access to the data above?
  3.    Does your solution encrypt all such data above in transit?
  4.    Does your solution encrypt all such data above at rest?

• Provider contract must bind provider to honor applicable compliance regulations such as GLBA, FERPA, PCI and must assert that applicable attestations and compliance requirements used to justify use of option 4 will be kept up to date and an updated copy provided annually to LETU either automatically, or on request.

-----------------------------------------------------------------------------

Critical Business Systems WITHOUT PCI, FERPA, HIPAA, PII

For any systems or cloud services hosting important business processes which do not require PCI, FERPA and/or HIPAA compliance, the following documents must be completed and approved by IT before purchasing the solution:

• LETU Guidelines for Implementing Cloud Applications (attached document)
• HECVAT Lite or TX-RAMP Level 1
• All requirements under (B) General Purchasing Requirements below
  
  - or -
   
• Minimum Viable Secure Product (mvsp.dev)
  (The LETU InfoSec Council ill determine whether HECVAT-Lite or MVSP is to be used for non-PCI/FERPA/HIPPAA needs)
• All requirements under (B) General Purchasing Requirements below
  
  - or - 
   
• TX-RAMP Level 2 Certification
• All requirements under (B) General Purchasing Requirements below

Non-Critical Business Systems WITHOUT PCI, FERPA, HIPAA, PII

For any systems or cloud services hosting non-critical processes without security, business continuity, or student data concerns, the following must be completed and approved by IT before purchasing the solution:

• HECVAT Lite or TX-RAMP Level 1
• All requirements under (B) General Purchasing Requirements below

B) General Purchasing Requirements

• Notify Purchasing office for any purchase expected to exceed $2,000.
• Purchasing Office and IT approval are required for any cloud, software or other technology purchases at or above $2,000
• IT approval is required for any cloud, software or other technology purchases below $2,000
• Documentation of the following areas not currently answered in the HECVAT (can be requested separately in an email to the vendor):
  • Total cost and renewal period along w/ a trial period (what is our commitment / ability to move in a different direction)
  • SLAs (what can LETU expect in terms of availability and what will be credited to us if SLAs are not met)
  • Specific references (what peers or other customers have confirmed the product is effective and reliable)
  • Training (who is responsible for support and training questions on the solution)
  • Local client config (what requirements does the solution impose on local devices)
  • Email/Texting (SPF/DKIM) (is any email or texting capability compliant with applicable regulations and policies)
  • Competitors (what alternatives were considered and how did they compare)