Download

Evaluation Questions and Standards

Even if your library isn’t required to go through the RFP process, you can use any of these questions or standards to ask vendors while you’re evaluating products. Here’s a short list of what to search for when researching vendor products for selection to get you started:

• Does the vendor have a publicly available privacy policy? 
• What user data does the vendor collect, process, and disclose to third parties? What rights do users have to their own data? Is there an opt-out option?
• How does the vendor store user data? Is the storage encrypted? Where is the storage located? Is it hosted by a subcontractor? Is it stored outside of the country? Is it stored in the cloud or on a local server?
• Does the vendor meet specific information security standards, such as ISO/IEC 27001 or PCI-DSS, or use specific information security and privacy frameworks, such as the NIST Cybersecurity Framework and NIST Privacy Framework?
• What fourth parties or subcontractors does the vendor disclose user data with and for what reasons?
• How does the vendor meet applicable federal and state legal regulations regarding data privacy and security?

There are a couple of ways you can ask a vendor about their privacy practices:

• Tell them specifically what you want, such as “Vendor must use [specific level of] encryption for data storage and transit”, or
• Ask how they meet a certain privacy criterion, such as “What are the security measures in place to protect user data in storage and in transit?”

Each way has its strengths and weaknesses. Asking if a vendor meets certain criteria can make evaluation quicker, but it might leave out important details about how the vendor meets that criteria. The details from asking how a vendor meets certain criteria, though, might be lacking and might require additional back and forth with the vendor.