Vendor Privacy and Security Information Collection

The Vendor Privacy and Security Information Collection Form is designed to gather crucial information on security, privacy, and data management practices from vendors, helping RCSJ assess their products before adoption. The form will collect responses that inform RCSJ's internal team about potential risks, data handling protocols, and compliance standards, but will not directly determine qualification status for adoption. In addition to the questions below, please attach your most recent HECVAT assessment and any additional documentation you'd like to provide.

Vendor and Product Name

Please provide the name of the vendor and the name of the product (or products) the information below applies to.

RCSJ Point of Contact

Please provide the name and/or email address of the person at RCSJ who has asked you to complete this form.

Physical Security

Where will RCSJ's data be stored?

In the cloud, or on premise?
If in the cloud, where are the cloud services physically deployed?
If on premise, where? And what physical security measures are in place to protect data from unauthorized users?

Data Security

What encryption methods does the vendor use to secure data in storage and transit?

How does the vendor identify abnormal behavior and catch anomalous activity to prevent access and changes to RCSJ data?

What type of user authentication and access controls does the vendor utilize?

Does the vendor segment data by customer so one customer's data is not mixed with data from other customers?

Security Assessments: External and Internal

If applicable, provide information on the vendor's program of external security audits.

Does the vendor have a proactive program of external security audits?
How often is security externally audited?
When was the most recent audit?
Was the vendor audited for compliance with a recognized Security framework? e.g. SOC 2 -- If so, which framework was used?
What were the results?

If applicable, provide information about security reviews the vendor performs of its own systems.

How often are these reviewed conducted?
Who is involved?
What does the review entail?

If applicable, provide information about penetration testing and vulnerability scans conducted by the vendor.

What type?
How frequent?
What does this testing involve?

Policies

Please provide information about internal security policies and procedures.

Examples of information vendors may want to supply: plans for information security, incident response, business continuity/disaster recover, handling of sensitive data.

How often are these plans reviewed and updated?

How would the vendor notify RCSJ in the event of a breach?

Vendor Employees

What steps does the vendor take to ensure any risk posed by employees are minimized?

Does the vendor conduct background checks?
Does the vendor require regular data privacy and security training for its personnel?

Data Privacy

How does the vendor practice data minimization in its operations?

Especially relating to personally identifiable information of RCSJ students, staff, and families.

How does the vendor ensure compliance with data protection laws that apply to RCSJ, including FERPA and the NJDPA?

Insurance

Does the vendor carry cybersecurity insurance?

If so, what does this insurance cover and what is the coverage limit?

Optional Content

Optional: Additional Comments

Do you have any additional comments you'd like to provide that didn't fit into the answers above?

Document Submission

Please attach your most recent HECVAT assessment and any additional documentation you'd like to provide.
NOTE: Documents do not replace filling out the form, even if the answers are in the documents.

Browse...

Your name

Your email address

Verification Code

Vendor Privacy and Security Information