Questions about the privacy and security docs for GoogleChromeLabs / Link-to-text-fragment
Contact: Privacy Officer/Legal
From: ECNO VASP Team
Date: March 02, 2022
RE: Link to Text Fragment - Free
If you are not the correct person to receive this message, please forward it to the appropriate contact.
Background
The Education Computing Network of Ontario (ECNO) and the Ontario Association of School Business Officials (OASBO) have partnered to establish a service to review software, applications, and web services, etc. for Ontario school boards.
ECNO is comprised of Ontario’s 72 public and Catholic English and French school boards who collaboratively find and execute effective IT solutions. The Ontario Association of School Business Officials (OASBO) brings professionals together who are committed to collaborative development, sharing and promotion of leading business practices in support of students. Both ECNO and OASBO operate in Ontario, Canada.
An expert team, known as the Vetting Applications for Security and Privacy (VASP) team, was established to perform privacy, security and liability risk assessments. The assessment is based on the Student Digital Privacy Standard developed for Ontario Schools Board (copy attached). It identifies gaps between the function of the software and the vendor’s privacy policy, terms of service and other related documents, apparent security/privacy challenges in the use of the application, and assigns a risk score. Boards are provided with risk assessment reports which outline mitigating strategies to minimize the impact of any privacy, security and/or liability risks to inform their decision. Ultimately, boards alone bear full responsibility for the final decision about whether to use the software based on their risk tolerance, ability to implement mitigation strategies, and, where applicable, to negotiate acceptable contract language.
Assessment Comments/Questions
The assessment is being conducted because one or more of Ontario’s school boards have requested the app be assessed. The first stage has been completed and risk assessment score has been determined; however, it has generated questions that require clarification.
Prior to finalizing the risk assessment and communicating the results to boards, we are seeking your response to the following comments/questions. Your feedback is important and we ask that you forward it to ECNOVASP@ECNOConnect.org by the due date listed below.
Please note, should we not receive your reply, the report will be posted with the outstanding questions which will result in a high risk assessment. We look forward to including your input to provide Ontario school boards with the most comprehensive overview of the app.
Comments/Questions Arising from the Assessment
1. To what privacy legislation does the app/service comply?
2. Does the app track student behavior outside of the app (e.g., browsing habits, search queries, use of social media)?
3. Is there a privacy/security policy in place that includes a comprehensive security program (that is based on one or more industry frameworks such as NIST, ISF, ISO, COBIT, CIS, etc.) or controls for protecting systems and user data?
4. Are industry standards for security followed and can provide reports, evidence, certifications, or assurance regarding the presence of security controls (e.g. SOC 2 / SOC 3, FedRAMP, CSA STAR, ISO, etc.) be provided?
5. Is data encrypted at rest?
6. Is there a breach response protocol including containment, notification and remediation in place?
7. Are users/schools/boards notified when a security or data breach of personal information occurs? If so, is it by direct or indirect notification?
8. How are disputes resolved--by mediation, arbitration or litigation? If by arbitration, do both parties control the terms?
9. Where does the App/Software/Web Service store files?
Response Requested by: March 15, 2022
Questions about the privacy and security docs for GoogleChromeLabs / Link-to-text-fragment
Contact: Privacy Officer/Legal From: ECNO VASP Team Date: March 02, 2022 RE: Link to Text Fragment - Free If you are not the correct person to receive this message, please forward it to the appropriate contact. Background The Education Computing Network of Ontario (ECNO) and the Ontario Association of School Business Officials (OASBO) have partnered to establish a service to review software, applications, and web services, etc. for Ontario school boards. ECNO is comprised of Ontario’s 72 public and Catholic English and French school boards who collaboratively find and execute effective IT solutions. The Ontario Association of School Business Officials (OASBO) brings professionals together who are committed to collaborative development, sharing and promotion of leading business practices in support of students. Both ECNO and OASBO operate in Ontario, Canada. An expert team, known as the Vetting Applications for Security and Privacy (VASP) team, was established to perform privacy, security and liability risk assessments. The assessment is based on the Student Digital Privacy Standard developed for Ontario Schools Board (copy attached). It identifies gaps between the function of the software and the vendor’s privacy policy, terms of service and other related documents, apparent security/privacy challenges in the use of the application, and assigns a risk score. Boards are provided with risk assessment reports which outline mitigating strategies to minimize the impact of any privacy, security and/or liability risks to inform their decision. Ultimately, boards alone bear full responsibility for the final decision about whether to use the software based on their risk tolerance, ability to implement mitigation strategies, and, where applicable, to negotiate acceptable contract language. Assessment Comments/Questions The assessment is being conducted because one or more of Ontario’s school boards have requested the app be assessed. The first stage has been completed and risk assessment score has been determined; however, it has generated questions that require clarification. Prior to finalizing the risk assessment and communicating the results to boards, we are seeking your response to the following comments/questions. Your feedback is important and we ask that you forward it to ECNOVASP@ECNOConnect.org by the due date listed below. Please note, should we not receive your reply, the report will be posted with the outstanding questions which will result in a high risk assessment. We look forward to including your input to provide Ontario school boards with the most comprehensive overview of the app. Comments/Questions Arising from the Assessment 1. To what privacy legislation does the app/service comply? 2. Does the app track student behavior outside of the app (e.g., browsing habits, search queries, use of social media)? 3. Is there a privacy/security policy in place that includes a comprehensive security program (that is based on one or more industry frameworks such as NIST, ISF, ISO, COBIT, CIS, etc.) or controls for protecting systems and user data? 4. Are industry standards for security followed and can provide reports, evidence, certifications, or assurance regarding the presence of security controls (e.g. SOC 2 / SOC 3, FedRAMP, CSA STAR, ISO, etc.) be provided? 5. Is data encrypted at rest? 6. Is there a breach response protocol including containment, notification and remediation in place? 7. Are users/schools/boards notified when a security or data breach of personal information occurs? If so, is it by direct or indirect notification? 8. How are disputes resolved--by mediation, arbitration or litigation? If by arbitration, do both parties control the terms? 9. Where does the App/Software/Web Service store files? Response Requested by: March 15, 2022