Approach to 
Compliance & Security

“A Voluntary Product Accessibility Template (VPAT™) is a document that explains how information and communication technology (ICT) products such as software, hardware, electronic content, and support documentation meet (conform to) the Revised 508 Standards for IT accessibility. VPATs™ help Federal agency contracting officials and government buyers to assess ICT for accessibility when doing market research and evaluating proposals.”*

The VPAT was created by the Information Technology Industry Council so that contracting officials and purchasers could make preliminary assessments on information technology products and service offerings. Therefore, a VPAT can be a critical component of the RFP process for any organization (private or government) where accessibility and Section 508 compliance is a key element.

To download our Rapididentity Accessibility Conformance Report, click here.

Click here to learn more.

*source: www.section508.gov

The Family Educational Rights and Privacy Act of 1974 (FERPA) governs access and release of student records. FERPA applies to elementary, secondary, and postsecondary institutions. Institutions that receive federal funding are required to comply with FERPA or risk losing their funding.

FERPA defines three types of information: educational information, PII, and ‘non-directory’. Non-directory information and PII cannot be released to anyone without a student’s written consent. Faculty and staff can only access non-directory information when there is a legitimate academic reason. Non-directory information includes records relating to a student’s Social Security number, school identification number, race, ethnicity, nationality, gender, and transcripts. Directory information does not require signed, written consent prior to its release.

Click here to learn more.

“When it comes to the collection of personal information from children under 13, the Children’s Online Privacy Protection Act (COPPA) puts parents in control. The Federal Trade Commission, the nation’s consumer protection agency, enforces the COPPA Rule, which spells out what operators of websites and online services must do to protect children’s privacy and safety online. For example, if your company is covered by COPPA, you need to have certain information in your privacy policy and get parental consent before collecting some types of information from kids under 13.”*

The FTC provides a six-step process to determine if your company is covered by COPPA:

• Step 1: Determine if Your Company is a Website or Online Service that Collects Personal Information from Kids Under 13.
• Step 2: Post a Privacy Policy that Complies with COPPA.
• Step 3: Notify Parents Directly Before Collecting Personal Information from Their Kids.
• Step 4: Get Parents’ Verifiable Consent Before Collecting Personal Information from Their Kids.
• Step 5: Honor Parents’ Ongoing Rights with Respect to Personal Information Collected from Their Kids.
• Step 6: Implement Reasonable Procedures to Protect the Security of Kids’ Personal Information.
• Chart: Limited Exceptions to COPPA’s Verifiable Parental Consent Requirement

Click here to learn more.

*source: www.ftcj.gov

SOC 2 applies to technology-based service organizations that store customer data in the cloud. A SOC 2 audit is an audit of a service organization’s non-financial reporting controls as they relate to the security, availability, processing integrity, confidentiality, and privacy of a system.

SOC 2 compliance is a component of the American Institute of CPAs (AICPA)’s Service Organization Control reporting platform.

There are many other similarities between SOC II Type I and SOC 2 Type II reports, but the key difference is that a SOC 2 Type I report is a confirmation of controls at one specific time, whereas a SOC 2 Type II report is a confirmation of controls over a minimum six-month period. The SOC 2 Type I reports on the description of controls, that they are detailed and correspondingly deployed. The SOC 2 Type II reports primarily on the effectiveness of the controls.

To request our Soc2 compliance report, click here.

“The essential premise of the Criminal Justice Information Services (CJIS) Security Policy is to provide appropriate controls to protect the full lifecycle of CJI, whether at rest or in transit. The CJIS Security Policy provides guidance for the creation, viewing, modification, transmission, dissemination, storage, and destruction of CJI. This Policy applies to every individual—contractor, private entity, noncriminal justice agency representative, or member of a criminal justice entity—with access to, or who operate in support of, criminal justice services and information.”*

Criminal Justice Information (CJI) refers to data necessary for law enforcement and civil agencies to perform their duty. Examples of CJI data include biometric data (DNA, fingerprints, etc.), identity history data (history of criminal and/or civil events regarding the individual), personal data, property data, and case history.

Click here to learn more.

*source: FBI.gov

Web Content Accessibility Guidelines (WCAG) was developed with a vision of providing a single shared standard for web content accessibility that meets the needs of individuals, organizations, and governments internationally. Specifically, the WCAG details how to make web content more accessible to people with disabilities. Web “content” generally refers to the information in a web page or web application, including natural information such as text, images, and sounds or code/markup that define structure, presentation, etc.

Identity Automation conforms to WCAG 2.0.

Click here to learn more.

The Higher Education Community Vendor Assessment Tool (HECVAT) was created by the Higher Education Information Security Council (HEISC) Shared Assessments Working Group, in collaboration with Internet2 and REN-ISAC.

The HECVAT tool is used to measure a 3rd party vendor’s compliance level to ensure that cybersecurity policies are in place to protect students/faculty/staff Personally identifiable information (PII) and sensitive Institutional information.

HECVAT enables a consistent, easily-adopted methodology for Higher Ed organizations wishing to reduce costs through cloud services without increasing risks.

To download our Higher Education Community Vendor Assessment Tool, click here.

Click here to learn more.

The guidance provided by NY EdLaw 2-D seeks to address the risks that digital workflows have introduced. Following the NIST Cybersecurity Framework, NY EdLaw 2-D explicitly states that a data security program should include “data security protections, including data systems monitoring, data encryption, incident response plans, limitations on access to personally identifiable information, safeguards to ensure personally identifiable information is not accessed by unauthorized persons when transmitted over communication networks, and destruction of personally identifiable information when no longer needed.”

Further, the regulation requires that when a parent or student requests education records, “safeguards associated with industry standards and best practices, including but not limited to, encryption, firewalls, and password protection must be in place when data is stored or transferred”. Also, all third-party contractors who receive PII, or any subcontractee engaged by a third-party contractor, must “use encryption technology to protect data while in motion or in its custody from unauthorized disclosure using a technology or methodology specified by the secretary of the United States department of health and human services in guidance issued under Section 13402(H)(2) of Public Law 111-5.

Click here to learn more.

The Texas Risk and Authorization Management Program (TX-RAMP) is a standardized approach for security assessment, authorization, and continuous monitoring of cloud computing services that process the data of a state agency, institution of higher education, and public community college.

TX-RAMP Provisional Status provides a provisional product certification permitting a state agency to contract for the use of a product for up to 18 months without receiving full TX-RAMP certification. Upon achieving provisional status, the cloud computing service will need to be certified through a TX-RAMP assessment or equivalent within the provisional status period to maintain compliance with program requirements.

Identity Automation achieved provisional status in 2022 and is anticipating full certification in 2023 after achieving StateRAMP status.

Click here to learn more.