Completed project: Shared Assessments
Primary UITS contacts: Andrew Korty, Jeremy Geib
Completed: March 2012
Description: IU is leading an EDUCAUSE project team to identify a tool higher education institutions can use to evaluate the security and privacy controls implemented by third-party vendors and service providers. The project will start by evaluating Shared Assessments, one such tool. In conjunction with IU Purchasing, the project will consider the benefits of adopting that tool for use at IU to replace a home-grown questionnaire currently in use.
Outcome: We will determine the applicability of the Shared Assessments framework to higher education.
Milestones and status:
- First meeting; discuss team charter and goals Completed July 26, 2010
- Finalize team charter; discuss questions to ask Shared Assessments representatives at next meeting Completed August 9, 2010
- Conference call with Shared Assessments representatives Completed August 23, 2010
- Project team members presented Shared Assessments at EDUCAUSE 2010. Completed October 13, 2010
- The project team created a survey designed to gather information about procurement review processes at participating institutions. Completed November 8, 2010
- Review the results of the procurement survey Completed December 2010
- Review the Shared Assessments Standard Information Gathering Questionnaire v6 Completed December 2010
- Invite business process stakeholders (Purchasing, University Counsel, compliance experts, and data stewards) from each institution represented on the project team to a conference call to learn about and discuss Shared Assessments Completed February 2011
- Presented and held birds-of-a-feather session on vendor assessments at the EDUCAUSE Security Professionals Conference Completed April 5, 2011
- Presented on shared assessments at the 2011 CACR Summit Completed April 11, 2011
- Completed gap analysis among institutional questionnaires and shared assessments Completed July 15, 2011
- Completed first draft of final report to EDUCAUSE governance, risk, and compliance working group Completed July 25, 2011
Benefits: Standard assessment processes and documents would reduce time and resources needed to complete RFPs, ease vendor pain, and provide some assurance that our processes are thorough and consistent.
Related information: http://sharedassessments.org/
Client impact: If new processes or questionnaires are adopted, we will work with IU Purchasing to transition from our current home-grown questionnaire. Vendors and third parties whose products and services impact security will need to complete these new questionnaires (or submit already completed ones) instead of our current questionnaire. Using a standard tool like Shared Assessments allows vendors and third parties to complete one questionnaire and submit it to multiple potential clients.
Project team: Andrew Korty, Jeremy Geib, and individuals from other EDUCAUSE member institutions
Governance: Andrew Korty and Jeremy Geib are co-chairs of the project team.