Product: Skill Struck
Vetted by
Christopher
Ruddy,
at Skill Struck
on 2025-01-21
Security Rubric Results
- N/A
- UNMET
- PARTIAL
- MEETS
Documentation & Company Information
Data
Systems Management
Third Party Assessment
| Rubric Area | Expectations | ||
|---|---|---|---|
| Documentation & Company Information | Meets | Partially Meets | Doesn't Meet |
|
User Notes
User Notes
DOC01 - Have you undergone an external audit?
ANSWER: Has undergone and external audit but cannot share the results, or Has not undergone an external audit but has completed the HECVAT, or Has not undergone an external audit but is in the process of completion
User Notes:
Currently undergoing SOC-2 Type 2 audit. Estimated completion March 2025. Completed penetration test and vulnerability scans recently.
Currently undergoing SOC-2 Type 2 audit. Estimated completion March 2025. Completed penetration test and vulnerability scans recently.
|
Unselected Option: | Answer Partially Meets Expectations | Unselected Option: |
|
User Notes
User Notes
DOC02 - Do you conform with a specific industry standard security framework? (e.g. NIST Cybersecurity Framework, CIS Controls, ISO 27001, etc.)
ANSWER: Does not conform with any specific industry standard
User Notes:
Working towards SOC2 Type 2 industry standard.
Working towards SOC2 Type 2 industry standard.
|
Unselected Option: | Unselected Option: | Answer Doesn't Meet Expectations |
|
DOC03 - Does your organization have a documented data privacy policy?
ANSWER: Yes
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
DOC04 - Do you have a documented, and currently implemented, employee onboarding and off boarding policy?
ANSWER: Yes
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
DOC05 - Do you have a well documented Disaster Recovery Plan (DRP) that is tested annually?
ANSWER: Yes
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
DOC06 - Do you have a documented and currently followed change management process (CMP)?
ANSWER: Has a fully documented process & process is followed and includes a change log
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
DOC07 - Have you had a reportable breach in the last 5 years?
ANSWER: No reportable breaches in the last 5 years
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
DOC08 - Do you have a dedicated Information Security staff or office?
ANSWER: Small organization with a single dedicated person responsible for information security or Information Security responsibilities are contracted out
|
Unselected Option: | Answer Partially Meets Expectations | Unselected Option: |
|
DOC09 - Do you follow dev ops practices?
ANSWER: Follows devsec ops practices
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
DOC10 - Can you share the organization chart, mission statement, and policies for your information security unit?
ANSWER: Does not share organization chart, mission statement, and policies for the information security unit
|
Unselected Option: | Unselected Option: | Answer Doesn't Meet Expectations |
|
DOC11 - Are information security principles designed into the product lifecycle?
ANSWER: Information security principles are designed into the product lifecycle and tested against security requirements at each functional code revision
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
DOC12 - Do you have a documented information security policy?
ANSWER: Yes
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
DOC13 - Do you have a formal incident response plan?
ANSWER: Yes and regularly exercised and people are regularly trained
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
DOC14 - Do you carry cyber-risk insurance?
ANSWER: Yes
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
DOC15 - Do you have either an internal incident response team or retain an external team?
ANSWER: Yes, both internal and external
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
DOC16 - What is your capability to respond to incidents?
ANSWER: Yes, 24x7x365
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
| Data | Meets | Partially Meets | Doesn't Meet |
|
DA01 - Does the environment provide for dedicated single-tenant capabilities?
ANSWER: No
|
Unselected Option: | Unselected Option: | Answer Doesn't Meet Expectations |
|
DA02 - Is data encrypted in transport? (e.g. system-to-client, system-to-system)
ANSWER: Yes
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
DA03 - Is sensitive data encrypted, using secure protocols/algorithms, in storage? (e.g. disk encryption, at-rest, files, and within a running database)
ANSWER: All data encrypted at rest
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
DA04 - Do you have a media handling process, that is documented and currently implemented, including end-of-life, repurposing, and data sanitization procedures?
ANSWER: Yes, has all of the above
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
DA05 - Will data regulated by PCI DSS reside in the vended product?
ANSWER: Not Applicable
|
NOT APPLICABLE | ||
|
DA06 - Are you able to accommodate storing each institution's data within their desired geographic region?
ANSWER: No
|
Unselected Option: | Unselected Option: | Answer Doesn't Meet Expectations |
|
DA07 - Does the hosting provider have a SOC 2 Type 2 report available?
ANSWER: No compliance documentation available
|
Unselected Option: | Unselected Option: | Answer Doesn't Meet Expectations |
| Systems Management | Meets | Partially Meets | Doesn't Meet |
|
SM01 - Do you have a systems management and configuration strategy that encompasses servers, appliances, cloud services, applications, and mobile devices (company and employee owned)?
ANSWER: Yes
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
SM02 - Will the institution be notified of major changes to your environment that could impact the institution's security posture?
ANSWER: Yes, prior to the change
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
SM03 - Are you utilizing a stateful packet inspection (SPI) firewall?
ANSWER: Yes, and alerts are actioned
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
SM04 - Do you use an automated IDS/IPS system to monitor for intrusions?
ANSWER: Yes
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
SM05 - Do you require direct connectivity to the Institution's network for support/administration or access into any existing systems for integration purposes?
ANSWER: Not Applicable
|
NOT APPLICABLE | ||
|
SM06 - Do you support access control (e.g. RBAC, ABAC, PBAC) for end-users?
ANSWER: Yes, but only separates teachers and students
|
Unselected Option: | Answer Partially Meets Expectations | Unselected Option: |
|
SM07 - Do you support access control (RBAC, ABAC, or PBAC) for system administrators?
ANSWER: Yes, but not customizable for specialized admin types
|
Unselected Option: | Answer Partially Meets Expectations | Unselected Option: |
|
SM08 - Do you control and audit employee access to customer data?
ANSWER: Yes to both
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
SM09 - Does the system provide data input validation?
ANSWER: Yes, provides input validation but does not meet all OWASP guidelines
|
Unselected Option: | Answer Partially Meets Expectations | Unselected Option: |
|
SM10 - Are you using a web application firewall (WAF)?
ANSWER: Utilizes a web application firewall (WAF) and alerts are actioned
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
SM11 - Do you subject your code to static code analysis and/or static application security testing prior to release?
ANSWER: Yes
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
SM12 - Do you enforce MFA for vendor administrative access?
ANSWER: Uses MFA
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
SM13 - Does your solution support single sign-on (SSO) protocols for user and administrator authentication? (e.g. InCommon)
ANSWER: Does provide a institution approved SSO for institutional users and administrators
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
SM14 - Are audit logs available to the institution that include AT LEAST all of the following; login, logout, actions performed, timestamp, and source IP address?
ANSWER: Audit logs include all of the following; login, logout, actions performed, and source IP address and are available in admin dashboard
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
SM15 - Can your system auto provision accounts through SSO?
ANSWER: Yes
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
SM16 - Do you support differentiation between email address and user identifier?
ANSWER: Yes, and enforces it
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
| Third Party Assessment | Meets | Partially Meets | Doesn't Meet |
|
TP01 - Will institution data be shared with or hosted by any third parties?
ANSWER: Shared and/or hosted only to provide service
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
TP02 - Do you perform security assessments provided of third party companies with which you share data? (i.e. hosting providers, cloud services, PaaS, IaaS, SaaS, etc.)
ANSWER: Yes
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
TP03 - Have your systems and applications had a third party security assessment completed in the last year?
ANSWER: Yes, has a 3rd party assessment and can provide high level results and gives organization's name
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
Vetting Context
Policies Cited
The following urls were cited as a basis for this information.
- Privacy Policy https://www.skillstruck.com/about-2/privacy-policy
- Security Practices https://www.skillstruck.com/about-2/cyber-security-policy
Geographical Context
(Laws and regulations can vary across regions)
Utah
United States
Regulatory Compliance
The information below provides insight into compliance with various regulatory policies.
US State Regulatory Compliance:
- Arkansas HB 1961
- California AB 1584
- California SB 1177
- California AB 2799
- California AB 2828
- Connecticut HB 5469
- Delaware SB 79
- Delaware SB 208
- Georgia SB 89
- Hawaii SB 2607
- Illinois SB 1796
- Iowa HF 2354
- Kansas HB 2008 (S sub)
- Kentucky HB 232
- Louisiana HB 718
- Maine SP 183
- Maine LD1616
- Maryland HB 298
- Michigan SB 510
- Missouri HB 1490
This application can be used by children under the age of 13.
Email Support@1edtech.org
The views and opinions expressed in this information are those of the authors and do not necessarily reflect the official policy or position of 1EdTech. The information provided is intended to surface trends about the policies and procedures of systems leveraged by the educational community. It should not be considered legal advice.
Disclaimer:
The 1EdTech TrustEd Apps Security Practices Rubric provides a
self-assessment tool for a supplier to evaluate their product,
according to the
1EdTech TrustEd Apps Security Practices Rubric Specification v1.0.
This information is to be a starting point for institutional
security review processes and is not intended to serve as a full
security review. Find out more
here.
© Copyright 2025 1EdTech Global Learning Consortium Inc. All Rights Reserved.
App Vetting Rubric Version: 2