This section is to allow you to provide details of you as the product producer, vendor and/or service provider; important legal information about your company; to which countries the assessment is relevant and a summary of the product/service. This is similar to the information already placed into many product catalogues or procurement frameworks, so this is the quickest and simplest criteria to add.

This is the largest category and is broken down into 12 sections. Where questions seem to be repeated, it may be that more detail is required within a particular context. For example, if we are talking about password controls then in one question we might be asking about how you manage it within your company, but in another question we are asking about how schools can manage it within your product/service. Both are important and we will point to where we are asking about you directly and where we are asking about your product or service. There may be overlap, and that is perfectly ok and correct, and there will be opportunities to explain this within your responses.

The 12 sections are:

• Product Function
• Hosting and Location
• Technical
• Logging
• Access
• HR
• Processes and Testing
• Plans and Quality
• Incidents
• Data Deletion and Retention
• Compliance Controls
• Governance

The themes for these sections are generally self-explanatory, but here are more details:

Product Function
This section allows you to provide details on the general use of the product/service; what personal data may be used; any sub-contractors/sub-processors you work with to provide this product/service, and how you check them over; any other data processors you might integrate with or send data to on behalf of the educational institute; any independent third parties you may share data with, and what they use it for; whether it is on-premise, cloud hosted or hybrid; and all the subsequent terms of service, data processing agreements, codes of conduct, accessibility standards. This is an important section to cover as there are different requirements in different jurisdictions. However, there is a common baseline that can be met through GDPR and some considerations for particular jurisdictions, e.g. the US and COPPA/FERPA.

Hosting and Location
This is relevant to cloud-hosted/hybrid models and looks at your approaches to physical security, the hosting services you make use of, and how you manage it.

Technical
This section looks at how the infrastructure is protected and managed including the management and security of any software code, how you subsequently protect and secure the educational institute’s personal data; and then looking at you as an organisation and how you protect your own network and systems upon which you develop, how you protect the access you have to the service when you are developing and supporting it, and this is covered in areas such as software updates, anti-virus/anti-malware and organisational approaches your company takes.

Logging
Provide information on the logging process i.e. what is collected, how often, what users, type of logs, and if the logs are centralised.

Access
This section is to explain your security policies on providing access for your users including inventory of accounts, password requirements, remote access, authentication, and third party service access.

HR
Explain your onboarding and offboarding process for employees and contractors. Provide information on internal and external agreements. Address your security awareness program and ongoing training.

Processes and Testing
Covers vulnerability scans and penetration testing compliance of third party providers and how you maintain software and hardware updates. Provide information about your incident response plan and how you handle data breaches and data loss.

Plans and Quality
This section lists several plans and processes and the required documentation for each. Business Continuity Plan; IT Change Management process; Security, Privacy, and Risk Management process;IT Asset Management process; Information Security Policy; Security Training and Awareness Policy; Maintenance Policy;Security Planning Policy, System and Services acquisition Policy; Data Management Policy; Service Application Development and other cybersecurity elements.

Incidents
Addresses the organization’s history with incidents. An incident is defined as an occurrence that actually or imminently jeopardizes, without lawful authority, the confidentiality, integrity, or availability of information or an information system; or constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies.

Data Deletion and Retention
Criteria used and time frame for processes and specifics on how the data is managed.

Compliance Controls
Define your compliance certifications or security assessments listing frequency and type.

Governance
This section allows you to report the data privacy roles in your organization and if a budget is designated and location of your teams and response systems.

This section is broken down into 3 sections. Variations of the same context will be presented to take in account who is generating the data. There will be some overlap with the security section but will be presented through the “privacy lens”.

The 3 sections are:

• Privacy
• Requests
• Functional

Privacy
This delves into the specifics of the terms of service/use including age restrictions and intellectual property definitions.

Requests
This section asks for details on privacy policy requirements, including disclosure, mandatory information collected on staff, parents, students and third party disclosures. The process to correct, request access and deletion of data and data transfer/sharing/discovery functionality is requested.

Functional
Potential issues that could compromise user privacy are listed. Explain processes in place to restrict access including: role based access, user profile creation/visibility restricted, audio/video conferencing/live streaming session procedures. List what tools are in use for remote access, chat, online communities and file download and upload. Guidelines for user content creation, access, and publication are listed. Describe online learning activities and data collected, analysis, and the result reporting. Other information covered is: additional student data collected and the disclosure policy requested; data breach/loss reporting process;health and well being information collected; and logging of personal information events.