Vendor Technology Review

Name of New Technology

Enter the name of the new technology that you would like reviewed

SJU Contact

Please provide the name of the SJU employee or contact that you are working with.

Is this part of an RFP response?

RFP #

Description of Technology

Please provide a description of the new technology to be reviewed. Also provide vendor name and contact information.

Vendor Relationship with SJU

Does your organization currently conduct business with SJU? If yes, please select "Existing". If no, please select "New".

Does the product support Single Sign-On (SSO) authentication with Entra/Azure (SAML)?

If the product does not support SSO, what options are available to control authentication?

What data storage options does the vendor's product support?

Cloud hosted

On premises

Hybrid

Are vendor computers equipped with and running any of the following?

Anti-Virus

Endpoint Detection and Response EDR

Extended Detection and Response XDR

Other

Does the vendor comply with export control regulations?

Does the vendor engage in any data mining practices?

Provide all technical configuration changes required to be made by SJU for implementation.

Does the vendor’s product provide an API for data integration?

API Support

API Key

OAuth2

Other

If the API supports other authentication methods, please provide more information.

Does the product integrate with third party payment gateways?

What payment providers or gateways are supported?

Does the implementation require the transmission, processing, or storage of SSN’s?

Does the vendor maintain a Software Bill of Materials (SBOM) for tracking dependencies?

Does the vendor have a vulnerability disclosure program (VDP) for reporting security issues?

How will the vendor share demonstrate compliance with the GLBA and the FTC Safeguards Rule?

Annual compliance attestations to SJU

Annual penetration testing results to SJU

Annual reassessment report to SJU

Annual security audit reports to SJU

Other

What other ways will the vendor show compliance?

How quickly does the vendor notify customers in the event of a security incident?

Are there disaster recovery services ensuring quick restoration of SJU’s systems?

What is the retention period for University data in the vendor’s system?

Does the vendor perform backups of University data?

If backups are performed, is the data stored offsite with a third-party provider?

Does the vendor perform security monitoring of access to University data?

Are penetration tests and security assessments performed on vendor systems and applications?

Will the vendor provide SJU with the results/executive summaries of such assessments?

Will independent third-party penetration testing occur on the vendor’s system that SJU uses?

If Yes, how frequently?

Does the vendor have any of the following full-time positions?

Chief Information Security Officer

Information Security Director

Information Security Officer

No

Ability to support a lawful subpoena or e-discovery order is issued to obtain SJU data at vendor?

Please use the attachment box below to upload a copy of your HECVAT if available.

Please be advised SJU may request a completed HECVAT if one is not available.

Are any of the following available to share?

Please attach any available artifacts to this form (attachment field below).

API Documentation

Data security policies and compliance attestations

Third-party security audit reports

MSA or Terms of Agreement

Privacy Statement

Voluntary Product Accessibility Template (VPAT)

No

Please use the attachment box below, if you have any of the documents listed above.

Attachment

File attachments associated with the ticket.

Browse...

Additional Comments

If any answers need addition context please add the question number and comment here.

Your name

Your email address

Verification Code

Vendor Technology Review

Other Fields