# EngagedLab — Jisc Security Assessment Checklist

This checklist is designed to support institutional IT and procurement teams during initial review.

## 1) Governance and ownership
- Data controller and processor roles documented.
- Named security contact and escalation path available.
- Security documentation versioning and review cadence defined.

## 2) Identity and access management
- SSO pathway documented (SAML/OIDC, where applicable).
- MFA options and account protection controls defined.
- Role-based access model and privilege boundaries described.

## 3) Data protection
- Data flow summary available (ingestion, processing, export).
- Institution-scoped data access controls described.
- Data retention/deletion process and evidence handling policy documented.

## 4) Application and infrastructure security
- Encryption in transit and at rest controls documented.
- Logging and auditability coverage described.
- Vulnerability remediation and release process defined.

## 5) LMS and integration assurance
- SCORM and LTI deployment guidance provided.
- Integration testing approach documented.
- Operational support model for rollout defined.

## 6) Sub-processors and supply chain
- Current sub-processor list maintained.
- Purpose and location of each provider documented.
- Change notification process available for institutional customers.

## 7) Incident management
- Incident response process and contact route documented.
- Breach notification process aligned with contractual obligations.
- Post-incident review and remediation tracking process available.

## 8) Evidence pack request
For an institution-specific security pack, contact:
- admin@engagedlab.co.uk
- Subject: Security Review Pack