Hello,

I do realize the Sympa is open-source. I still wanted to reach out to ask if there is any security documentation that can be provided for Sympa.

I am emailing to request security documentation for our state-required risk assessment of Sympa, Since we are a public university, we must follow Texas regulations, ensuring your company has adequate security controls in place. I am requesting that your organization complete the attached Higher Education Community Vendor Assessment Tool (HECVAT) and provide security documentation that shows you have the necessary security controls implemented to ensure our system will remain protected. More information on the HECVAT can be found at https://library.educause.edu/resources/2020/4/higher-education-community-vendor-assessment-toolkit. I appreciate your assistance. 

 

In lieu of completing the HECVAT, any certification report such as a SOC 2 Type 2 or ISO 27001 from a third-party auditor will suffice. Also, Texas Government Code requires that I verify you are conducting vulnerability scans and penetration tests prior to us using your service so any type of high-level executive summary you may provide is appreciated.

 

SA-9 External Information System Services - The state organization requires that providers of external information system services employ adequate

security controls in accordance with these standards and monitors security control compliance.

 

Sec. 2054.516.  DATA SECURITY PLAN FOR ONLINE AND MOBILE APPLICATIONS.  (a)  Each state agency implementing an Internet website or mobile application that processes any sensitive personal or personally identifiable information or confidential information must … subject the website or application to a vulnerability and penetration test and address any vulnerability identified in the test.

Please let me know if you have any questions. And, thank you in advance for any security documentation you can provide.

Best Regards,

D’ANN JACKSON

Senior Information Security Analyst

I.T. Solutions

P: 940-898-3262

Service Desk: 940-898-3971 | address@concealed  

This message contains information which may be confidential and privileged. Unless you are the addressee (or authorized to receive for the addressee), you may not use, copy or disclose to anyone the message or any information contained in the message. If you have received the message in error, please advise the sender by reply e-mail and delete the message.