IT Vendor Assessment Resource Center

• How long has your organization been in business? How long have you been providing this service?
• Are you willing to agree with the terms and conditions of the Institution’s Non-Disclosure Agreement? Need a link/reference.
• Licensing – how is product licensing handled? Are all components licensed from you, or are there certain components that the Institution will need to license directly with the product author? If so, what are these?
• Will you provide advanced notice of pricing changes?
• Have you supplied products and/or services to the Institution or its Campuses in the last five years? If yes, please provide the Institution contact, describe the products and/or services offered and the total value of the services provided.
• Do you offer clear SLAs in writing? Can we review SLAs that exist for other customers? Can we review your base SLA?

• What application integration technologies does the solution support?
• Do you provide any standard interfaces to other vendor products (e.g., Workday, Oracle)? If so by what mechanism?
• What Data extraction mechanism and standards you support?
• Do you support real time interaction with external systems? If so, what technologies (e.g. REST, SOAP) do you support?
• Do you provide any standard interfaces to other vendor products (e.g., Workday, Oracle)? If so by what mechanism?

• Do the technologies and services you offer adhere to Section 508 of the Rehabilitation Act and the Americans with Disabilities Act?
• If employing web-based technology, does your application conform with Level AA accessibility standards set forth in the WCAG 2.0?
• If your application does not fully comply with the WCAG 2.0 Level AA standards, please describe areas of weakness within your application and what steps are being taken to remediate these weaknesses.
• In the past 12-18 months, have you engaged an independent firm to evaluate that accessibility of your application? If so, please provide a copy of the audit report.

Peer University Resources

• Harvard University Accessibility Questions
• California State University-Fresno Accessibility Questions

• Does your organization have a comprehensive Business Continuity Plan?
• Is an owner assigned who is responsible for the maintenance and review of the Business Continuity Plan?
• Is the Business Continuity Plan written to address all hazards, or specific scenarios?
• Is your organization’s Business Continuity Plan tested on at least an annual basis?
• Please indicate the last time that the Business Continuity Plan was tested and provide a summary of the scope and results.

• Is support available 24 X 7? Please describe your processes, procedures, and technology that enable 24 X 7 support.
• Do you offer an online-based mechanism for reporting errors or bugs with the service?
• Do you have an incident management system for identifying, submitting and tracking cloud service incidents?
• What is your response and resolution commitment for urgent and non-urgent tickets?
• What are the mechanisms for contacting your organization for support? Phone? Web? Other?
• Do you offer live human support via phone and/or instant messaging?
• What level of user and technical support documentation is provided and maintained? Is that doc covered by NDA or is it public?

• How are new users provisioned in the application? [via an LDAP integration, a one time import, feed file process, when they log into the application for the first time, etc.]
• How are new groups or roles provisioned in the application? [via an LDAP group integration, a one time import, provisioned by an admin inside the application, etc.]
• Does the product store user information in its own database? [yes/no]
• Does the product store group membership or role information in its own database? [yes/no]
• If yes to either of the above questions, how and when is the user or group access deprovisioned from the application?

• Can your organization commit to a Recovery Time Objective of 24 hours in the event you experience a disaster or significant business disruption?
• Does your organization have a comprehensive Disaster Recovery Plan?
• Please indicate the last time that the Disaster Recovery Plan was tested and provide a summary of the results.
• Does your organization have a Disaster Recovery site or a contracted Disaster Recovery provider?
• Are back-ups of the operating system software, utilities, security software, application software and data files necessary for recovery stored at the DR site or another off-site location?

• Save Time and Boost Credibility with the HECVAT: Institutions are using the HECVAT to improve their vendor assessments and procurement processes, and this higher education–specific tool can also help vendors streamline responses and save time.

• Where are CDN service nodes or Datacenters located?
• Does service have peering agreements with research/education networks (Internet2, NLR, TransitRail, etc.)?
• Does service use advanced IP protocols (IPv6, IP Multicast, etc.)?
• Describe the bandwidth requirements for connections between your systems and the Institution’s users.
• Describe the typical duration of transactions.
• Describe TCP/IP ports used between the service and any client or system that the Institution operates.

• Princeton University Usability Testing