Reviewing Software Vendors

["Harvey, Matthew" <mharvey4 () HOWARDCC EDU>]

Hello Team,

Looking for some guidance on what good looks like for software and LTI vendors. There is plenty of assessment data 
(HECVAT, security questionnaire's, Privacy Policy, compliance with frameworks, etc.), but am curious if other 
institutions use just one of these tools, or weigh the results from each and evaluate risk based on the multiple 
sources.  For instance, do you gather all this data and assign values and requirements such as "If compliant with 
ISO27001 then meets requirements", or "If score on HECVAT is lower than C, then must be GDPR compliant".  We are 
considering an IMS Global membership as this will provide us with another assessment source (rubric), but wonder how to 
put these pieces together.

Thanks!!

Matt Harvey
Cybersecurity Analyst
Howard Community College

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community