Product: VitalSource Learning Platform
Vetted by
Rick
Johnson,
Co-Founder and Vice President of Solutions Engineering and Accessibility
at VitalSource
on 2024-01-30
Security Rubric Results
- N/A
- UNMET
- PARTIAL
- MEETS
Documentation & Company Information
Data
Systems Management
Third Party Assessment
| Rubric Area | Expectations | ||
|---|---|---|---|
| Documentation & Company Information | Meets | Partially Meets | Doesn't Meet |
|
DOC01 - Have you undergone an external audit?
ANSWER: Has undergone an external audit and can share the audit results or certificate
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
DOC02 - Do you conform with a specific industry standard security framework? (e.g. NIST Cybersecurity Framework, CIS Controls, ISO 27001, etc.)
ANSWER: Conforms with a specific industry standard and can show evidence of conformance
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
DOC03 - Does your organization have a documented data privacy policy?
ANSWER: Yes
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
DOC04 - Do you have a documented, and currently implemented, employee onboarding and off boarding policy?
ANSWER: Yes
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
DOC05 - Do you have a well documented Disaster Recovery Plan (DRP) that is tested annually?
ANSWER: Yes
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
DOC06 - Do you have a documented and currently followed change management process (CMP)?
ANSWER: Has a fully documented process & process is followed and includes a change log
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
DOC07 - Have you had a reportable breach in the last 5 years?
ANSWER: No reportable breaches in the last 5 years
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
DOC08 - Do you have a dedicated Information Security staff or office?
ANSWER: Has a fully dedicated Information Security staff or office
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
DOC09 - Do you follow dev ops practices?
ANSWER: Follows devsec ops practices
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
DOC10 - Can you share the organization chart, mission statement, and policies for your information security unit?
ANSWER: Has an organization chart, mission statement, and policies for the information security unit and is willing to share
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
DOC11 - Are information security principles designed into the product lifecycle?
ANSWER: Information security principles are designed into the product lifecycle and tested against security requirements at each functional code revision
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
DOC12 - Do you have a documented information security policy?
ANSWER: Yes
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
DOC13 - Do you have a formal incident response plan?
ANSWER: Yes and regularly exercised and people are regularly trained
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
DOC14 - Do you carry cyber-risk insurance?
ANSWER: Yes
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
DOC15 - Do you have either an internal incident response team or retain an external team?
ANSWER: Yes, both internal and external
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
DOC16 - What is your capability to respond to incidents?
ANSWER: Yes, 24x7x365
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
| Data | Meets | Partially Meets | Doesn't Meet |
|
DA01 - Does the environment provide for dedicated single-tenant capabilities?
ANSWER: Not Applicable
|
NOT APPLICABLE | ||
|
DA02 - Is data encrypted in transport? (e.g. system-to-client, system-to-system)
ANSWER: Yes
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
DA03 - Is sensitive data encrypted, using secure protocols/algorithms, in storage? (e.g. disk encryption, at-rest, files, and within a running database)
ANSWER: All data encrypted at rest
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
DA04 - Do you have a media handling process, that is documented and currently implemented, including end-of-life, repurposing, and data sanitization procedures?
ANSWER: Yes, has all of the above
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
DA05 - Will data regulated by PCI DSS reside in the vended product?
ANSWER: Fully meets PCI DSS requirements.
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
DA06 - Are you able to accommodate storing each institution's data within their desired geographic region?
ANSWER: Not Applicable
|
NOT APPLICABLE | ||
|
DA07 - Does the hosting provider have a SOC 2 Type 2 report available?
ANSWER: Has SOC 2
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
| Systems Management | Meets | Partially Meets | Doesn't Meet |
|
SM01 - Do you have a systems management and configuration strategy that encompasses servers, appliances, cloud services, applications, and mobile devices (company and employee owned)?
ANSWER: Yes
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
SM02 - Will the institution be notified of major changes to your environment that could impact the institution's security posture?
ANSWER: Yes, prior to the change
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
SM03 - Are you utilizing a stateful packet inspection (SPI) firewall?
ANSWER: Yes, and alerts are actioned
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
SM04 - Do you use an automated IDS/IPS system to monitor for intrusions?
ANSWER: Yes
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
SM05 - Do you require direct connectivity to the Institution's network for support/administration or access into any existing systems for integration purposes?
ANSWER: Any direct connectivity we require will be for limited periods of time and will be fully monitored by the institution
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
SM06 - Do you support access control (e.g. RBAC, ABAC, PBAC) for end-users?
ANSWER: Provides separation of at a minimum students, teachers / faculty and teaching assistants
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
SM07 - Do you support access control (RBAC, ABAC, or PBAC) for system administrators?
ANSWER: Yes, it is fully customizable and can provide evidence
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
SM08 - Do you control and audit employee access to customer data?
ANSWER: Yes to both
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
SM09 - Does the system provide data input validation?
ANSWER: Yes, follows OWASP guidelines
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
SM10 - Are you using a web application firewall (WAF)?
ANSWER: Utilizes a web application firewall (WAF) and alerts are actioned
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
SM11 - Do you subject your code to static code analysis and/or static application security testing prior to release?
ANSWER: Yes
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
SM12 - Do you enforce MFA for vendor administrative access?
ANSWER: Uses MFA
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
SM13 - Does your solution support single sign-on (SSO) protocols for user and administrator authentication? (e.g. InCommon)
ANSWER: Does provide a institution approved SSO for institutional users and administrators
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
SM14 - Are audit logs available to the institution that include AT LEAST all of the following; login, logout, actions performed, timestamp, and source IP address?
ANSWER: Audit logs include all of the following; login, logout, actions performed, and source IP address and are available in admin dashboard
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
SM15 - Can your system auto provision accounts through SSO?
ANSWER: Yes
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
SM16 - Do you support differentiation between email address and user identifier?
ANSWER: Yes, and enforces it
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
| Third Party Assessment | Meets | Partially Meets | Doesn't Meet |
|
TP01 - Will institution data be shared with or hosted by any third parties?
ANSWER: Shared and/or hosted only to provide service
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
TP02 - Do you perform security assessments provided of third party companies with which you share data? (i.e. hosting providers, cloud services, PaaS, IaaS, SaaS, etc.)
ANSWER: Yes
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
|
TP03 - Have your systems and applications had a third party security assessment completed in the last year?
ANSWER: Yes, has a 3rd party assessment and can provide high level results and gives organization's name
|
Answer Meets Expectations | Unselected Option: | Unselected Option: |
Vetting Context
Policies Cited
The following urls were cited as a basis for this information.
- Privacy Policy https://support.vitalsource.com/hc/en-us/articles/201646123-VitalSource-Technologies-LLC-Privacy-Policy
- Security Practices https://get.vitalsource.com/vitalsource-advantage/security-privacy
Geographical Context
(Laws and regulations can vary across regions)
North Carolina
United States
Regulatory Compliance
The information below provides insight into compliance with various regulatory policies.
US State Regulatory Compliance:
- Arkansas HB 1961
- California AB 1584
- California SB 1177
- California AB 2799
- California AB 2828
- Connecticut HB 5469
- Delaware SB 79
- Delaware SB 208
- Georgia SB 89
- Hawaii SB 2607
- Illinois SB 1796
- Iowa HF 2354
- Kansas HB 2008 (S sub)
- Kentucky HB 232
- Louisiana HB 718
- Maine SP 183
- Maine LD1616
- Maryland HB 298
- Michigan SB 510
- Missouri HB 1490
This application can be used by children under the age of 13.
Email Support@1edtech.org
The views and opinions expressed in this information are those of the authors and do not necessarily reflect the official policy or position of 1EdTech. The information provided is intended to surface trends about the policies and procedures of systems leveraged by the educational community. It should not be considered legal advice.
Disclaimer:
The 1EdTech TrustEd Apps Security Practices Rubric provides a
self-assessment tool for a supplier to evaluate their product,
according to the
1EdTech TrustEd Apps Security Practices Rubric Specification v1.0.
This information is to be a starting point for institutional
security review processes and is not intended to serve as a full
security review. Find out more
here.
© Copyright 2024 1EdTech Global Learning Consortium Inc. All Rights Reserved.
App Vetting Rubric Version: 2