HECVAT - Higher Education Community Vendor Assessment Tool
HECVAT - Higher Education Community Vendor Assessment Tool
HEISC Shared Assessments Working Group
DATE-01 | Date | 12/15/2023 |
General Information
In order to protect the
institution and its systems, vendors whose products and/or services will
access and/or host institutional data must complete the Higher
Education Community Vendor Assessment Toolkit. Throughout this tool,
anywhere where the term data is used, this is an all-
To download the full document, scroll to the bottom of the page.
GNRL-01 through GNRL-15; populated by Vendor
GNRL-01 | Vendor Name | Biometric Signature ID |
GNRL-02 | Product Name | BioSig-ID™ BioProof-ID™ BioSight-ID™ |
GNRL-03 | Product Description | Student
ID authentication using patented gesture biometrics to create a unique 4
character password (length, speed, direction angle..) , exam monitoring
using a web cam, ID verification comparing |
GNRL-04 | Web Link to Product Privacy Notice | |
GNRL-05 | Vendor Contact Name | Jeff Maynard |
GNRL-06 | Vendor Contact Title | President & CEO |
GNRL-07 | Vendor Contact Email | jeff.maynard@BioSig-ID.com |
GNRL-08 | Vendor Contact Phone Number | 214-244-7679 |
GNRL-09 | Vendor Data Zone | United States |
GNRL-10 | Institution Data Zone | United States |
GNRL-11 and GNRL-12; populated by Institution's Security Office
GNRL-11 | Campus Security Analyst/Engineer |
GNRL-12 | Assessment Contact |
Instructions
Step 1: Complete each section
answering each set of questions in order from top to bottom; the
built-in formatting logic relies on this order.
Step 2: Submit the completed Higher Education Community Vendor Assessment Toolkit - Lite to the institution according to institutional procedures.
Step 2: Submit the completed Higher Education Community Vendor Assessment Toolkit - Lite to the institution according to institutional procedures.
Documentation
Vendor Answers | Additional Information | Guidance | ||
DOCU-01 | Have you undergone a SSAE 18 audit? | Yes | Microsoft
audits at least annually against the SOC reporting framework for SOC 1,
2, and 3 by independent third-party auditors. The audit for Microsoft
cloud services covers controls for data security, availability,
processing integrity, and confidentiality as applicable to in-scope
trust principles for each service. | Provide
the date of assessment and include a SOC 2 Type 2 (preferred) or SOC 3
report. If you have a SOC3 report, include a URL for the published
report. Indicate if your hosting provider was the subject of the audit. |
DOCU-02 | Have you completed the Cloud Security Alliance (CSA) self assessment or CAIQ? | No | No need for with Microsoft Azure | Describe any plans to complete the CSA self assessment or CAIQ. |
DOCU-03 | Have you received the Cloud Security Alliance STAR certification? | No | Describe any plans to obtain CSA STAR certification. | |
DOCU-04 | Do you conform with a specific industry standard security framework? (e.g. NIST Cybersecurity Framework, ISO 27001, etc.) | Yes | Azure
systems run in environments where Microsoft has achieved certifications
for SOC 1/2/3, ISO 9001, and ISO 27001/27017/27018, as per the best
practice for FERPA compliance | Provide
documentation on how your organization conforms to each framework and
indicate current certification levels, where appropriate. |
DOCU-05 | Are you compliant with FISMA standards? | Yes | Microsoft
Azure has earned a P-ATO at the High Impact Level from the Joint
Authorization Board, the highest bar for FedRAMP accreditation, which
authorizes the use of Azure to process highly sensitive data. | Indicate level, agency issuing ATO, and necessary details on ATO. If using FEDRamp, please indicate the supporting details. |
DOCU-06 | Does your organization have a data privacy policy? | Yes | Provide your data privacy document (or a valid link to it) upon submission. |
Company Overview
Additional Information | Guidance | ||
COMP-01 | Describe your organization’s business background and ownership structure, including all parent and subsidiary relationships. | JCLADS
Corp dba Biometric Signature ID is a Delaware based corporation. It is
privately owned and has a number of shareholders including the State of
Texas and the Moheghan Biometrics. Majority ownership is held by Jeff
Maynard. We have no subsidiaries. | Include circumstances that may involve off-shoring or multi-national agreements. |
COMP-02 | Describe how long your organization has conducted business in this product area. | 11 years | Include the number of years and in what capacity. |
Vendor Answers | Additional Information | Guidance | ||
COMP-03 | Do you have existing higher education customers? | Yes | Biometric
Signature ID has worked with many higher education, commercial and
continuing education customers in the US and internationally. A
reference list is available upon request. Biometric Signature currently
works with Central Texas College, Alamo Colleges District, National
Multi-state Licensing System & Registry (NMLS), Arkansas State
University, Colorado State University Global Campus. | Provide a list of Higher Ed references, with contact information. |
COMP-04 | Have you had a significant breach in the last 5 years? | No | Biometric Signature ID has not ever had a significant breach. | |
COMP-05 | Do you have a dedicated Information Security staff or office? | Yes | Biometric
Signature ID has a dedicated team to ensure all of our products meet or
exceed industry security standards. We have a 4,000 square foot office
building. | Decribe your Information Security Office, including size, talents, resources, etc. |
COMP-06 | Do
you have a dedicated Software and System Development team(s)? (e.g.
Customer Support, Implementation, Product Management, etc.) | Yes | Biometric
Signature ID employees a team of developers dedicated to supporting the
client/user facing UI, server maintenance, current and new development
efforts along with LMS production support. Our dedicated customer
support, implementation team and product managers work closely with each
client to ensure a seamless experience. | Describe
the structure and size of your Software and System Development teams.
(e.g. Customer Support, Implementation, Product Management, etc.) |
Additional Information | Guidance | ||
COMP-07 | Use
this area to share information about your environment that will assist
those who are assessing your company data security program. | For
the past 13-years our flagship product, BioSig-ID™ has had over a
million users from hundreds of institutions. BioSig-ID has been used
over 40M times to authenticate identity before users can access
assessments, devices, or content. Additionally, we have award winning
data analytics that has discovered 1,000’s of cheating students using
proven adaptive algorithms and real time event notifications. Two issued
patents confirm our “novel technology” . BSI is also involved in other
market sectors. BSI provides identity authentication services to a
financial federal agency last four years for pre-licensure and CE
certifications. In this association, we have adjudicated identity
“authentication before access” millions of times in thousands of courses
offered by 35 course providers for nearly 200,000 members. BSI has
provided services to healthcare entities, defense contractors, VR
companies for payment processing and real estate agents for
pre-licensure. | Share any details that would help information security analysts assess your product. |
Application/Service Security
Vendor Answers | Additional Information | Guidance | ||
HLAP-01 | Do you support role-based access control (RBAC) for end-users? | Yes | Biometric
Signature ID utilizes the user's role in the learning management system
to determine appropriate access level. The Reporting Dashboard provides
configurable access to provide records that are appropriate for each
role. | Describe any infrastructure dependencies. |
HLAP-02 | Do you support role-based access control (RBAC) for system administrators? | Yes | The Reporting Dashboard provides configurable access to provide records that are appropriate for each role. | Describe the utilized technology. |
HLAP-03 | Can employees access customer data remotely? | Yes | We maintain a telecommute environment with secure access to data. | If available, submit documentation and/or web resources. |
HLAP-04 | Can
you provide overall system and/or application architecture diagrams
including a full description of the data communications architecture for
all components of the system? | Yes | Biometric Signature ID can provide high level architecture documentation. | Provide a reference to the requested documents or provide them when submitting this fully-populated HECVAT. |
HLAP-05 | Does the system provide data input validation and error messages? | Yes | We
receive and log messaging internally. Text error messages are displayed
to the user when they input an incorrect BioSig-ID password or if there
is a technical issue. Depending on the issue, users may have an
automatic support ticket created on their behalf. | Provide a reference to documentation of your data input validation and error messaging capabilities. |
HLAP-06 | Do you employ a single-tenant environment? | Yes | Depending
on the product or features selected we can offer a single tenant system
for an additional cost. By default we offer multi-tenant environments. | Describe your single-tenant strategy. |
Authentication, Authorization, and Accounting
Vendor Answers | Additional Information | Guidance | ||
HLAA-01 | Can you enforce password/passphrase aging requirements? | Yes | Our
products eliminates the need to reset a password at specific intervals.
However, should an institution require that a password reset be
performed at a specific interval we can configure these settings per
institution requirements. | Describe how aging requirements are implemented in the product. |
HLAA-02 | Does your web-based interface support authentication, including standards-based single-sign-on? (e.g. InCommon) | Yes | When
the user enters the LMS and accesses our product the user information
such as first name, last name, student ID and or email is sent to our
system. | Describe or provide a reference to the supported types of authentication. |
HLAA-03 | Does
your application support integration with other authentication and
authorization systems? List which ones (such as Active Directory,
Kerberos and what version) in Additional Info? | Yes | Different
solutions can be integrated in many ways, some with a more native
integration and others with a secure protocol for communication. Some of
these include, but not limited to: Active Directory (LDAP), Azure
Active Directory, SSO via SAML2/SSOIO/Kerneros/OpenID/OAuth | Provide a brief description of supported authentication and authorization systems. |
HLAA-04 | Does
the system (servers/infrastructure) support external authentication
services (e.g. Active Directory, LDAP) in place of local authentication? | No | BioSig-ID™
replaces or supplements regular forms of authentication to add a
biometric gesture level of identifying the person trying to gain access.
It does not require any external service for this. | Describe any plans to support external authentication services in place of local authentication. |
HLAA-05 | Are audit logs available that include AT LEAST all of the following; login, logout, actions performed, and source IP address? | Yes | Login
and session details are maintained in the audit log along with actions
performed and IP address, browser and device information. | Ensure that all elements of D32Bio are evaluated for your response. Provide a description of logging |
Business Continuity Plan
Vendor Answers | Additional Information | Guidance | ||
HLBC-01 | Do you have a documented Business Continuity Plan (BCP)? | Yes | Biometric Signature ID has a business continuity plan that can be shared upon request. | Provide a copy of your BCP along with this document (link o attached) |
HLBC-02 | Is there a documented communication plan in your BCP for impacted clients? | Yes | Our
business continuity plan allows for multiple server and database
redundancies via Microsoft Azure. Should one region fail we have the
capability to the product service will remain available for clients. | Summarize your documented communication plan contained in your BCP |
HLBC-03 | Are all components of the BCP reviewed at least annually and updated as needed to reflect | Yes | The BCP is reviewed annually. | Describe your BCP component review strategy. |
HLBC-04 | Does your organization conduct an annual test of relocating to an alternate site for business recovery purposes? | Yes | Office
relocation has no impact on the Microsoft Azure PaaS/SaaS
infrastructure. Product can be moved to another provider, but there is
no need for this, and Microsoft handles recovery for us. | State the date of your last alternate site relocation test. |
Change Management
Vendor Answers | Additional Information | Guidance | ||
HLCH-01 | Do you have a documented and currently followed change management process (CMP)? | No | Describe current plans to implement a change | |
HLCH-02 | Will the institution be notified of major changes to your environment that could impact the institution's security posture? | Yes | Technical
point of contanct's or designated admins will receive emails and/or SMS
messages about important changes to hardware, software or cloud
environments. | State how and when the institution will be notified of major changes to your environment. |
HLCH-03 | Do you have policy and procedure, currently implemented, guiding how security risks are mitigated until patches can be applied? | Yes | Microsoft Azure automatically
applies security patches, or we manually push them forward if
validation is required which we Q&A on staging environments. Due to
the Azure infrastructure this process is done in real-time and requires
no scheduling, but for manual pushes we time this to happen during low
activity if severity is low on the security risk. | Summarize the policy and procedure(s) guiding risk mitigation practices before critical patches can be applied |
HLCH-04 | Do procedures exist to provide that emergency changes are documented and authorized (including after the fact approval)? | Yes | Each
change is documented within private DevOps branches and approved
accordingly by others, and goes through proper Q&A phases, or is
pushed at emergency level if a security risk has been detected, but then
Azure allows for balanced multiple slot deployments. There are also
Teams/Outlook trails to correlate, and summaries are documented for
management and clients. | Summarize implemented procedures ensuring that emergency changes are documented and authorized. |
Data
Vendor Answers | Additional Information | Guidance | ||
HLDA-01 | Do you physically and logically separate institution's data from that of other customers? | No | Logically,
all data is separated between clients but on the same hardware/systems.
Enterprise clients are physically separated if they host their own
infrastructure. | Describe your plan to physically and logically separate institution's data from other customers. |
HLDA-02 | Is sensitive data encrypted in transport? (e.g. system-to-client) | Yes | All data in transit is secured with 512AES encryption. | Summarize your transport encryption strategy. |
HLDA-03 | Is sensitive data encrypted in storage (e.g. disk encryption, at-rest)? | Yes | All data is stored in the Azure cloud, with all the world class security that comes along with it, in a SQL database with 512AES | Summarize your data encryption strategy. |
HLDA-04 | Do backups containing institution data ever leave the institutions Data Zone, either physically? | No | ||
HLDA-05 | Do
you have a media handling process, that is documented and currently
implemented, including end-of-life, repurposing, and data sanitization
procedures? | Yes | Destruction upon end of agreement or upon customer request | Provide details of these procedures (link or attached). |
HLDA-06 | Is any institution data visible in system administration modules/tools? | Yes | Institution
name, account number, point of contact(s), email and physical addresses
to the organization are visible to some employees in our dashboards. | Summarize why the institution's data is visible in system adminitration modules/tools. |
Database
Vendor Answers | Additional Information | Guidance | ||
HLDB-01 | Does the database support encryption of specified data elements in storage? | Yes | All
data is stored in the Azure cloud, with all the world class security
that comes along with it, in a SQL database with 512AES encryption. | Describe the type of encryption that is supported. |
HLDB-02 | Do you currently use encryption in your database(s)? | Yes | All
data is stored in the Azure cloud, with all the world class security
that comes along with it, in a SQL database with 512AES encryption. | Describe how encryption is leveraged in your database(s) |
Datacenter
Vendor Answers | Additional Information | Guidance | ||
HLDC-01 | Will any institution data leave the institution's Data Zone? | No | ||
HLDC-02 | Does your company own the physical data center where the institution's data will reside? | No | Azure is owned and operated by Microsoft | Provide a detailed description of where the institutions data resides. |
HLDC-03 | Does the hosting provider have a SOC 2 Type 2 report available? | Yes | Obtain the report if possible and add it. | |
HLDC-04 | Does the physical barrier fully enclose the physical space preventing unauthorized physical access? | Yes | Azure's physical security procedure is documented | Describe your physical barrier strategy. |
Disaster Recovery Plan
Vendor Answers | Additional Information | Guidance | ||
HLDR-01 | Do you have a Disaster Recovery Plan (DRP)? | Yes | Describe or provide a reference to your Disaster Recovery Plan (DRP). | |
HLDR-02 | Are any disaster recovery locations outside the institution's Data Zone? | No | ||
HLDR-03 | Are all components of the DRP reviewed at least annually and updated as needed to reflect? | Yes | Summarize your DRP review and update processes. |
Firewalls, IDS, IPS, and Networking
Vendor Answers | Additional Information | Guidance | ||
HLFI-01 | Are you utilizing a web application firewall (WAF) and/or a stateful packet inspection (SPI) firewall? | Yes | Azure
provides firewall services that integrate indirectly within the
applications and from end-user point avoid DDoS and other attacks. They
are open by default to any user in the world as we supply services as
such. The back-ends are secured via encryption, but have additional
IP-restrictions for additional security. Applications themselves are
self-healing and are locked down. | Describe the currently implemented WAF. |
HLFI-02 | Do you have a documented policy for firewall change requests? | Yes | We
handle this internally for internal changes, and provide personalized
e-mails to clients if they need to make firewall changes on their end to
allow *.verifyexpress.com services to route through their networks.
These are also whitelisted by the United States | Describe your documented firewall change request policy |
HLFI-03 | Are you employing any next-generation persistent threat (NGPT) monitoring? | Yes | Microsoft
Azure does the majority of this automatic, but this is supplemented by
us with Microsoft's best-practices on usage of DevOps monitoring
combined with Application Insight monitoring as well as internally
created monitoring methods. | Describe your NGPT monitoring strategy. |
HLFI-04 | Do you monitor for intrusions on a 24x7x365 basis? | Yes | The
majority is handled by Microsoft and dealt with immediately by them,
but appropriate Biometric Signature ID staff is also notified to take
action. | Provide a brief summary of this activity. |
Physical Security
Vendor Answers | Additional Information | Guidance | ||
HLPH-01 | Does your organization have physical security controls and policies in place? | Yes | Provide a copy of your physical security controls and policies along with this document (link or attached). | |
HLPH-02 | Are employees allowed to take home customer data in any form? | No |
Policies, Procedures, and Processes
Vendor Answers | Additional Information | Guidance | ||
HLPP-01 | Can you share the organization chart, mission statement, and policies for your information security unit? | Yes | Provide a links to these documents in Additional Information or attach them with your submission. | |
HLPP-02 | Are information security principles designed into the product lifecycle? | Yes | Being
a security company the product development puts security principles at
the core, and incorporates that with privacy awareness as well. | Summarize the information security principles designed into the product lifecycle. |
HLPP-03 | Do you have a formal incident response plan? | No | There
has never been a need for a formal plan as incidents are immediately
addressed by those with appropriate access and we thereby avoid any
slowdown in responsiveness that a formal plan would introduce. Strict
methods are applied in how to response | State plans to formalize an incident response plan. |
HLPP-04 | Do you have a documented information security policy? | Yes | Management
has outlined what is expected to ensure security and which staff has
the appropriated primary duties and when secondary or tertiary
replacements jump in. | Provide a reference to your information security policy or submit documentation with this fully-populated |
Systems Management & Configuration
Vendor Answers | Additional Information | Guidance | ||
HLSY-01 | Are systems that support this service managed via a separate management network? | Yes | BSI services themselves have a
dashboard layer to assist admins in managing the front-end, but it all
runs within the same Azure network on a different App-plan. Any
third-party service provider that we are integrated with, such as an
LMS-provider would. | Provide a brief description of how this is implemented. |
HLSY-02 | Do
you have a systems management and configuration strategy that
encompasses servers, appliances, and mobile devices (company and
employee owned)? | Yes | Policies with hierarchy based
roles are in place to govern the use and changes made to systems in the
network along with audit trails. Changes to the system can only be made
by specific roles and undergo approval depending on their associated
level. | Summarize your systems management and configuration strategy. |
Vulnerability Scanning
Vendor Answers | Additional Information | Guidance | ||
HLVU-01 | Have your systems and applications had a third party security assessment completed in the last year? | Yes | As
per DOCU-01 this is done annually, but we also have existing and
prospectus clients run many third-party security assessments with the
IBM Security Guardium Vulnerability Assessment being the most popular. | Provide
the results with this document (link or attached), if possible. State
the date of the last completed third party security assessment. |
HLVU-02 | Are your systems and applications scanned for vulnerabilities [that are remediated] prior to new releases? | Yes | We
have multiple Azure slots available for this purpose to do basic
testing, but also to replicate production environment testing to
minimize impact on end-users before final deployment. | Provide a brief description. |
Questions:
For questions please contact sales@biosig-id.com.
Related Articles
Getting Started Checklist for Higher Education
Get started the right way! The BioSig-ID technical set up may be performed in a short time frame. This content will help you to prepare in rolling out BioSig-ID within your institution. BioSig-ID Resources Project Manager / Rachel Lane / ...Adding BioSig-ID™ to Your Ultra Course(s)
The Biometric Signature ID (BSI) LTI 1.3/Advantage integration for Blackboard Learn Ultra View courses provides a mechanism to require a user/student to validate their identity when needed. This process is split between enrollment for the user to ...Proctoring Option Missing (McGraw Hill Quizzes)
When a McGraw Hill Quiz is imported into a Blackboard course it is displayed with an Assessment Test icon. Mc Graw Hill Connect The Icon displayed on imported McGraw Hill items matches those of Blackboard Assessment Tests. Assesment Test Icon This ...B2 Installation Guide
Introduction The Biometric Signature ID (BSI) Building Block for Blackboard Learn 9.1 provides a mechanism to require a user/student to validate their identity when needed. This process is split between enrollment for the user to create their initial ...LTI 1.3 Installation Guide
The LTI 1.3/Advantage-Proctoring solution relies on the Ultra Extended Framework which only works on Ultra View courses in a Blackboard Ultra Navigation environment. That means access to the Admin section is achieved by the left-sided menu item that ...