4 Questions to Ask BEFORE You Allow a Vendor Behind Your Firewall

As it has been for the last three years, information security was listed as the top issue for higher ed in 2017 by EDUCAUSE. In the first half of 2017 alone, data breaches in the education sector increased by 103 percent, says EdTech magazine. And a new report from Gemalto found that the number of lost, stolen or compromised data records went up 164 percent in the first 6 months of 2017 compared to the last half of 2016, Campus Technology reports.

So, there’s a good reason why most IT people frown upon allowing a vendor to install a software appliance behind their firewall. The security of student records is a significant responsibility for any registrar’s office. Universities understand that its paramount to protect their internal networks from the outside world, especially today.

Security and Privacy isn’t simply a question of what a partner does today but whether they have a track record of continuously investing and improving. What was once an accepted practice, might now be frowned upon. A few themes are commonly surfacing during CIO driven reviews: how credit card and social security numbers are stored, as well as vendor software operating behind firewalls. One creates a privacy risk and the other creates a security risk. Parchment is unique in our comprehensive approach.  

What to Ask Vendors

Are program applications, like SIS connectors, verified by their respective providers? Vendor partnerships, including those offered by Ellucian and Oracle, are critical.

Best practice: Integrations should be validated and approved by your SIS vendor to ensure alignment with all their required process methodologies, standards, security and documentation.
Is read/write access to your SIS required by the application or Java widget?

Best practice: Don’t introduce software into your network that requires authority you can’t monitor. You wouldn’t normally grant access without full understanding of actions taken. Granting privileged access can mean unintended reading or changing of data access.
Is documentation provided that outlines the vendor’s security and policy compliance?

Does the vendor integrate through the standard Web-Service based models your SIS vendor recommends?

Best practice: Any connectors using SSL should be outbound only, where the connection is initiated by your school to the vendor.

Are vendor security and privacy policies evolving to meet and exceed ever-changing standards?

Best practice: Regularly discuss security and privacy policies with the vendors you work with to ensure that they have a continued focus and comprehensive approach. Leadership can change, but the focus on security should not.

How are highly sensitive data fields such as social security and credit card numbers used and retained? Vendors should also be able to work with you to meet individual school policies and practices for storing data.

Best practice: Sensitive data – full social security and credit card numbers – should never be stored. Necessary data, such as student name, birth date, and ID number, should be encrypted and stored only as absolutely necessary by the application.

Best practice: When contracting with vendors, require relevant documentation, which should then be scrutinized by your IT colleagues. Remember, security is a team sport. The IT team should always be involved!


Homework? We’ve put together a list of articles and more about security-related topics to help you mitigate risk and protect your student and employee data from ever-increasing threats.

We’ve Got Your Back

At Parchment, the security of your personal data is always a priority. So, it probably comes as no surprise that we follow all the best practices listed above and then some. We want you to be confident that the technologies and practices we employ for creating and distributing credentials will protect your network—and your school’s reputation. Learn more.

Sign In


Let us help you find what you are looking for.