Back to all blogs

Clarity Security Checklist: Vendor Evaluation Guide

April 8, 2024
Matthew Sherman
CTO & Co-Founder
Patrick Fang
Marketing Operations Manager

Today’s private schools collect and store a vast amount of data related to their students, families, and staff. When education and technology are so closely intertwined, the importance of cybersecurity within private schools cannot be overstated. A growing number of incidents in the past years highlight a growing need for robust security measures to protect sensitive data against cyber threats. This guide outlines an approach for school administrators to initiate discussions with prospective and existing vendors to ensure they prioritize security in addition to providing valuable services.

Data Handling

Data handling in the context of independent schools involves the management of a wide array of personally identifiable information (PII), including but not limited to student academic records, health information, and family financial data. Proper data handling practices are crucial to protect this information from unauthorized access or breaches, which could lead to identity theft, financial fraud, and damage to the school's reputation. Effective data handling is also essential for compliance with legal obligations. 

Policies for Handling Sensitive Data (PII)

Policies for handling sensitive data outline how personal information is collected, used, stored, and disposed of. These policies safeguard against data breaches and ensure compliance with privacy laws. 

Ask your vendor: How do you handle sensitive data? Ask for detailed policies that cover the entire data lifecycle, from collection to deletion, and check that they comply with relevant data protection laws.

Data Encryption Practices

Data encryption involves encoding data to prevent unauthorized access. That means the encryption renders it unreadable and secure even if some data is intercepted. 

Ask your vendor: What encryption methods do you use to secure data in storage and transit? Confirm that the vendor uses industry-standard encryption protocols to safeguard your data from unauthorized access. 

Data Minimization Strategies

Data minimization means only gathering the information necessary, which helps protect everyone's privacy and complies with data protection laws. 

For example, when students sign up for clubs or sports, you could only ask for their name, someone to contact in an emergency, and relevant health info for the activity to minimize data collected. Asking for unnecessary sensitive information like the parent's employment or social security doesn’t help achieve the goal of checking if the student is eligible for the activity and would only increase the negative impact in case of a breach. Your vendors should follow the same principle!

Ask your vendor: How do you practice data minimization in your operations? Especially relating to personally identifiable information of our students, staff, and families. 

Authentication and Access Control 

Authentication and access control mechanisms are critical in verifying users' identities and controlling their access to sensitive information. These mechanisms prevent unauthorized users from accessing student records, financial information, or health data, protecting against data breaches and unauthorized use. Examples include requiring multi-factor authentication (MFA) and role-based access: MFA is a multi-step account login process that requires users to enter more information than just a password. Role-based access controls further enhance this by granting users access only to the information necessary for their roles — for example, allowing teachers access only to their students' records. These security measures effectively prevent unauthorized access, protect against data breaches, and maintain the integrity of sensitive data.

Ask your vendor: How do you incorporate authentication and access control into your service? Ensure that your vendor has strong authentication methods, like multi-factor authentication and role-based access controls, to limit user access based on their organizational role. 

Security Culture

A strong security culture within the vendor’s organization is essential to ensure ongoing vigilance and adherence to best practices in cybersecurity. It involves regular training, awareness programs, and a proactive stance towards managing and mitigating security risks.

Ask your vendor: What is your organization's approach to maintaining a robust security culture? Look for vendors who regularly train their employees on security best practices and have clear policies for managing cybersecurity risks.

Threat Management and Monitoring Practices

Effective threat management and monitoring practices involve identifying, analyzing, and mitigating potential security threats. This proactive approach is crucial for preventing potential security incidents from escalating and affecting the sensitive data of students and staff.

Ask your vendor: How do you manage and monitor potential security threats? The vendor should have a system that continuously monitors suspicious activity and can respond quickly to potential threats.

Incident Response Plan

An incident response plan outlines a vendor's procedures for dealing with security breaches or incidents. This plan is vital for ensuring a swift and coordinated response to minimize damage and restore services as quickly as possible.

Ask your vendor: What is your incident response plan, and how would you notify us in the event of a breach? A reliable vendor should have a clear plan with immediate notification procedures and steps to mitigate the breach.

Disaster Recovery Plan

Disaster recovery plans are essential for restoring data and resuming operations after a cyberattack or natural disaster. These plans ensure that critical services can be quickly restored, minimizing disruption to school operations.

Ask your vendor: Can you provide details of your disaster recovery plan, including data backup and system restoration procedures? Look for comprehensive plans that include regular backups and tested restoration processes.

Cybersecurity Insurance

Cybersecurity insurance offers financial protection and support in the aftermath of a cybersecurity incident. This type of insurance can help cover the costs associated with data breaches, including legal fees, recovery services, and notifications.

Ask your vendor: Do you carry cybersecurity insurance? If so, what does this insurance cover, and what is the coverage limit? Confirming that a vendor has appropriate insurance can provide peace of mind even in the case of an incident.

Access and Change Audit Mechanisms

Access and change audit mechanisms function as digital records that meticulously track every instance when someone accesses or modifies your school's data. Think of them as digital breadcrumbs, marking who altered the data and when. 

In other words, these mechanisms create a log every time data is viewed or changed, ensuring a trail can always be followed in case of any security concerns. This level of oversight is key in managing sensitive information.

Ask your vendor: How do you track and log access to and changes in our data? Verify that they have logging systems that not only record all interactions with your data but will alert the vendor in case of any unusual or unauthorized activities. 

Compliance and Assessments

Adherence with Data Protection Laws

Compliance with legal requirements for data security and privacy is non-negotiable. Vendors must adhere to data protection laws to protect against legal penalties and ensure proper handling of sensitive information.

Ask your vendor: How do you ensure compliance with data protection laws that apply to our school? The vendor should be able to demonstrate how they meet these legal requirements to protect your school and its data.

External Audits and Penetration Testing

External audits and penetration tests are like health checks for the vendor's security systems, identifying weaknesses and areas for improvement. Vendors should be able to provide evidence of frequent and recent audits. These evaluations help ensure the vendor's defenses are strong and up to date. 

Service Organization Control Type 2 (SOC 2) is a rigorous cybersecurity compliance framework developed by the American Institute of Certified Public Accountants (AICPA). It serves as the industry standard for security. Achieving and maintaining SOC 2 compliance is an ongoing process that indicates a vendor's significant investment in upholding the highest cybersecurity standards and serves as a mark of distinction for vendors who may handle sensitive data.

Ask your vendor: How often is your security externally audited, and when was the most recent audit? Were you audited for SOC 2 compliance? What were the results?

Internal Security Assessments

Vendors should regularly examine their own security practices to catch and fix any issues before they become problems. These self-checks help maintain a high level of security and show a proactive approach to data protection.

Ask your vendor: How often do you conduct security reviews of your own systems? Who is involved, and what does the review entail? Frequent and thorough assessments indicate a vendor is serious about keeping their systems secure.

Security is a team sport, and we’re all only as strong as our weakest link. That's why it's so important to ensure every player is up to snuff. Families entrust schools with their children’s future, and technology providers with mountains of critical data, and we must do our part to adhere to the highest standards to ensure that our communities thrive in safety. 

Disclaimer: The software security best practices provided herein are for informational purposes only and should not be considered a comprehensive list. We encourage schools to use this as a starting point and complement it with your own due diligence, research, and professional guidance to establish a robust security framework.








The financial aid platform purpose built to remove enrollment barriers for today's families.

Make an Inquiry