Internal‎ > ‎

Client Questionnaires

General 
Edit section

Does your system have the ability to support multiple addresses (postal and electronic) and phone numbers? In addition, does your system have the ability to support SMS/Text messaging and opt-in/opt-out indicators?

Multiple addresses and phone numbers: Yes

Text messaging: Yes with limitations. Would need an email address (xxxxxxxxxx@vtext.com for example)

Opt in/out: Yes

Does your system have real-time address verification or address cleansing capabilities?

Address verification is done in batch mode

Does the system provide flexible and customizable identification of duplicate records? Please explain the matching methods.

Yes. There are built-in rules for imports that permit flexibility when a ‘match’ is detected, and there is also capability for customers to build their own rules. The duplicate resolution process permits automatic merging

Is your system able to run for 2 groups at the same time (graduate/under grad) and does it have the ability to only show the group items that affect them?

Yes. Most clients prefer 2 separate instances

Does your system allow us to have the ability to "score" individual students based predictive modeling formulas using biographic, demographic and academic characteristics?

Yes.

Do you use the Noel Levitz six stages in your dashboard?

Yes, the naming convention is slightly different and the dashboard is customizable.

Communication
Edit section

Does your system provide multiple channels through which communications with each audience can be conducted and tracked?

Yes. Enrollment Manager can conduct and track several methods of communication, including phone, email, postal mail and others

Will your system give us the ability to build and execute unique communication plans for prospective students, parents, counselors and other influencers which include the use of targeted e-mails, direct mail campaigns, and newsletters, or any form of communications?

Yes. Enrollment Manager Campaigns is designed for that purpose. “Any” form of communications is a broad range, but the three specifically mentioned are available.

Can communications be stopped or shifted to alternate campaigns when certain criteria are met (e.g. a student submits an application), while eliminating duplicate communications?

Yes, the opportunity status is tracked and campaigns can be designed based on that status

Does your system give us the ability to schedule and automate personalized and customized communication; in addition allows for ad hoc and individual communication?

Yes, both means can be generated and tracked from within Enrollment Manager. Automation is available, depending on the extent desired.

Does your system provide the ability to track who opens messages and track who responds to messages?

Yes

Does your system provide the ability to send text and HTML messages? In addition, does it allow for us to track authorization from a student that they wish to receive text and HTML email messages?

Yes, text and HTML emails are supported, and the student may unsubscribe with a single click.

Does your system have the ability to store communication templates so that consistent messages are being sent by all users?

Yes.

Calendar
Edit section

Does your system provide the ability to associate or set one or more reminders for calendar entries, events, interviews, tasks, and assignments?

Yes. The Outlook client is especially useful here

Does your system provide alerts for calendar conflicts and reminders? Does your system provide email management incorporating features of auto response, routing, and incident escalation?

Yes, conflicts and reminders are supported. Enrollment Manager does not support call center features such as automated incident escalation natively but it may be possible to set up a workflow process to serve the requirement.

Does your system provide the ability to set personal reminder preference options?

Enrollment Manager allows setting personal reminders for events with some options

Reporting Tools
Edit section

Does your system provide management reporting tools that can easily be developed and run by business staff and not IT staff?

Yes, Advanced Finds are an extremely powerful feature of Enrollment Manager

Does your system provide ability for users to create ad-hoc reports?

Yes

What is the level of expertise needed to customize reports/queries?

That depends on the complexity of the reports/queries, but the interfaces are designed to be used by Admissions staff

Are dashboards individualized per user (as they sign in) or only listed in the reports area and have to be customized per viewer?

Enrollment Manager supports the creation of individualized dashboards

Does your system provide a mechanism to schedule, run, and produce reports in batch mode at future dates, times where appropriate (i.e. a scheduling system for reports)?

No.

Are reports available via e-mail or intranet and can they be saved for trend analysis? Can they auto send to those that are not in the system?

Reports can be exported and saved externally. They can not be automatically sent.

Does your system provide capability for data warehouse?

Yes, with a variety of approaches depending on requirements

 

Data Transfer
Edit section

Does your system allow for the real-time and batch import and export of data to other university systems?

Yes

Does your system allow staff to easily change inquiry forms and Web content; the system should act as a content management system for all public-facing websites?

Web forms are managed by Admissions Lab staff. Enrollment Manager has content management capabilities

For imports, do you have dominance rules? i.e. if duplicate record, which data overrides.

Yes for both Person and Opportunity information.

Self-Service Website
Edit section

Does your system have a web-based prospective student request for information/self-­request to join mailing list?

Yes

Does your portal allow a prospective student to submit and update geo-demographic, biographic and/or academic data?

Submit but not update.

Does your system have a web-based application that students can complete and submit?

Yes

Does your system incorporate academic and co-curricular interests to build self-service student portals for prospective students?

Does this mean: Is web content flexible based on interests? No.

Does your system provide the ability for a student to upload documents needed for admission applications through your portal?

No.

Does your system provide a payment gateway through your portal?

No.

Does your system provide the ability for email to be sent to admission staff when a prospective student takes action through the portal?

Yes.

Does your system support the following:

Telerecruiting tools Yes

Email tools (rich HTML and plain text) Yes

SMS Messaging (text messaging) Yes with limitations

Instant Messaging No

Interface with Social Networking Yes with limitations

Self Service Web Portal Yes

Personalized web portal or web pages No

Web Forms and Applications Yes

Streaming Video No

Blog or Vlog No

Campus event and visit registration Yes

SPAM filter controls for email Yes

Campaign effectiveness tools Yes

Ability to link or upload documents through web

If these tools are available, what is the capacity? Can transcripts and communication be tracked and logged?

Yes

Can actions taken by institution and/or student be used to trigger other communication?

 Yes

Is there a limit to the number of inquiry forms that can be created?

There is no practical limit

Event and Travel Management
Edit section

Does your system provide the ability for an institution to manage events, such as on-campus recruitment programs as well as support for externally managed events such as college fairs?

Yes

Does your system provide event calendars and schedules; in addition does it provide a tool for constituents to register for an event online?

Yes.

Does your system provide the ability to track event status (in planning, occurring, cancelled, occurred, etc.) and control event registration by using this information?

Event status is tracked, and events registration can be tied to that status

Does your system provide the ability to create a waitlist for campus events once capacities have been reached?

No. Manual registration can be done by staff if event is over capacity

Does your system provide ability for recruitment staff to schedule visits in association with high school and community college data incorporated into system?

Staff can schedule appointments based on calendar events from outside sources.

Can your system link travel schedule to MS Outlook Calendar and external mapping/directional web service?

Yes. Enrollment Manager has a fully featured MS Outlook client

Can we attach personal event itineraries to email messages (automatically)?

Not possible to “automatically” attach the standard event itinerary report to an email confirmation message. However, special requests can be addressed and information about multiple requests can be sent in a single confirmation message—with details about appointment times, designated hosts, and meeting locations.

Back Office Tools
Edit section

Does your system provide the ability to upload and attach documents to records

Yes

Does your system allow for automated incident workflow management? If so, can you provide configurable business rules/workflow allowing inquiries to be automatically routed to agents without user intervention?

Enrollment Manager can route inquires based on student supplied information

Third Party Integration
Edit section

Do you have an interface with CollegeNet to accept application information?

No

Do you have an interface with Common App to accept application information?

Yes. Common App will produce specially-formatted files for direct import into Enrollment Manager

Product Technology Integration
Edit section

What platform does your system use (SQL, Oracle, ect) and how easy is it to get information out of the system?

Enrollment Manager is based on Microsoft Dynamics CRM and offers multiple ad hoc and scheduled export channels.

Describe any supplemental third-party products your solution requires, supports, integrates with or is dependent upon

Enrollment Manager is constructed on the Microsoft Dynamics CRM platform. Internet Explorer is required. The Outlook plugin provides nearly seamless integration with Microsoft Outlook and other MS Office applications

Is your system web-based or do we need to install a client on user's workstations? If it is web based, does it support Windows, MAC, and tablet computers?

Enrollment Manager itself is entirely web based. The Outlook client requires installation on the user workstation. Internet Explorer is required.

Does your system integrate with Microsoft Office products?

Yes, Enrollment Manager is based on the Microsoft Dynamics CRM platform.

Can we post content to a set of prospective student Facebook pages based on a query (or Outreach list).

The Facebook API does not allow for mass postings; as a result, posts currently have to be made on an individual basis. Clients can still generate queries or Outreach lists to identify targeted prospects that should have information posted to their Facebook pages. Our 2011 version will allow clients to generate these posts, including images, links and text, just like the existing capabilities in Facebook.

Do you support the ability to upgrade system to higher release while maintaining system customizations?

Yes.

Do you have user defined fields? Is this very flexible?

In the strictest sense, no. However Enrollment Manager supports many descriptive fields that can accommodate most purposes

Data and System Security
Edit section

Does your system have the ability to setup different levels of permissions for customizing roles?

Yes

What mechanisms does your system have to protect the privacy of records in accordance with institutional policies?

Good overview from the Knowledge Base

http://help.422x.com/@api/deki/files/105/=Admissions_Lab_Enrollment_Manager_Security_Overview.pdf

Does your system support single sign-on access?

Not externally with a tool such as Shibboleth. The different modules within Enrollment Manager support SSO once in the application.

Describe your systems functionality to handle SPAM filters, blacklisting/white-listing policies, and privacy laws to ensure messages are in compliance with legislation and have the best possible chance of being successfully delivered to and read by contacts.

Recipients can opt out/unsubscribe with a single click, or opt out of entire classes of communication at time of contact.

Enrollment Manager supplies many tools for evaluating and tracking email content. More information on whitelisting is available in our Knowledge Base

What is the naming standard for user IDs (e.g., first initial of first name + surname)?

No standard is used, to prevent guessing usernames. Usernames are manually generated by Admissions Lab staff based on some user attribute chosen ad-hoc

Is there a standard user profile or definitions of user roles that are used for user account management?

Yes, there are three basic roles:

Administrator: The maximum level of Enrollment Manager access including but not limited to creating reports, creating/ initiating duplicate check processes, creating teams, etc…

User: Standard access for all basic Enrollment Manager functionality including the ability to modify/add records, utilize Advanced Find, create/manage outreach lists, etc…

Read-only: User may view information, but no additions or modifications can be made.

Pasted from <http://help.422x.com/Knowledge_Base/Security>

Are automatic logoff (session time-out) features implemented for the application? If yes, what is the period of inactivity prior to automatic logoff or session time-out?

Yes, sessions are automatically terminated after 8 hours of inactivity.

Is there a mechanism for allowing a user to be granted emergency access to Confidential information (e.g., EPHI, PII, or cardholder data)?

No

What are the application’s password length (both minimum and maximum) requirements?

  • Minimum of 8, maximum of 32
  • Are special characters recognized? Yes
  • If yes, please describe
  • Passwords are not user-configurable but rather maintained entirely by Admissions Lab staff according to our guidelines on Strong Passwords as defined below:
  • Contain both upper and lower case characters (e.g., a-z, A-Z)
  • Have digits and punctuation characters as well as letters e.g., 0-9, !@#$%^&*()_+|~-
  • =\`{}[]:";'<>?,./)
  • Are at least eight alphanumeric characters long.
  • Are not a word in any language, slang, dialect, jargon, etc.
  • Are not based on personal information, names of family, etc.

 

Does the application prevent the users from reusing a password?

Yes. Users cannot configure their own passwords.

Is the user’s account locked after a predetermined number of consecutive unsuccessful logon attempts?

No.

Does the application log activity that can be traced to a specific user (e.g. logins/failed logins, accessing, altering, creating, deleting records)?

Yes, at the database level using SQL Server Audit. The information is maintained but is not routinely extracted.

If yes, does the application log activity include logon/logoff attempts, data access inquiry activity (e.g. screens viewed and reports printed), data entries, changes and deletions?

Yes, that level of information can be obtained.

Do the audit logs contain Confidential information (e.g., EPHI, PII, or cardholder data) or user credentials?

Not generally. It is possible that a log report would contain, by necessity, information on a PII data change, such as a change to SSN, which may reveal the actual data to review initial/final state questions. Content of any given log report would depend on the report’s purpose.

If the answer to the question above is YES, are the audit log files encrypted ?

Yes, using Three-key triple DES, AES 128

Are audit log files protected from unauthorized alteration by limiting access only to those with appropriate access privileges?

Yes. Audit logs are available only to datacenter and DBA staff.

How long are the audit logs retained for? At what size limit or time limit are they overwritten? Please describe

Audit logs are generated on an on-demand basis and destroyed when the demand is met.

Are audit logs regularly reviewed?

No, they are created ad-hoc.

If yes, please indicate how frequently the audit log files are reviewed (e.g, daily, monthly, only for diagnostics)

Only for diagnostics/research

Is there a process in place to manage and provide ongoing support to the application including operating system changes, security updates and patches to the application?

Yes. Admissions Lab manages the OS changes and patching of both the Enrollment Manager application layer and the underlying database/middleware layer.

Is there a process to review changes prior to implementation in the production environment?

Yes, there is a configuration management and SQA process in place to manage and test platform changes across Admissions Lab staff functional areas.

If yes, are the changes authorized by management?

Yes.

Is there a security configuration standard and process implemented for operating system/middleware platform that supports the application?

Yes. As a Microsoft Gold Certified Partner, Admissions Lab is able to leverage existing Microsoft testing and technology to ensure that our applications meet industry standards for security, performance and accessibility. Key components of this strategy include Microsoft Windows Server 2008, Microsoft SQL Server 2008 and a set of private Microsoft Dynamics CRM encryption keys.

More detail is available here:http://help.422x.com/@api/deki/files/105/=Admissions_Lab_Enrollment_Manager_Security_Overview.pdf

Is there a periodic technical vulnerability testing established for the application (e.g. application layer penetration testing)?

Yes. Enrollment Manager is built on Microsoft’s Dynamics CRM platform, which leverages Microsoft testing and assessment of vulnerabilities to both the platform itself and the underlying components such as IIS and SQL Server 2008. Changes or customizations made by Admissions Lab comply with the security standards and requirements for those platforms and applications.

More information on the Microsoft security considerations for Dynamics CRM can be found here:http://technet.microsoft.com/en-us/library/gg583970.aspx

Vulnerability and penetration testing is also performed by Admissions Lab’s data center partner.

Is there a security testing methodology included in the Software Development Life Cycle (SDLC) for this application (e.g., security testing is performed prior to deploying the application into the production environment)?

Yes, as above.

Does the system use the SSN only as a data element or alternate key to a database and not as a primary key to a database?

Yes. SSN is simply an attribute. The primary keys to the database elements are hexadecimal values not visible via the presentation layer.

Is there a process or technology in place to encrypt the cardholder data and other data in the database (e.g. field-level, tablespace or column-level encryption)?

Yes, all Enrollment Manager data is encrypted at page level using the transparent data encryption capabilities of Microsoft SQL Server 2008. In addition, MS Dynamics CRM encrypts application layer transactions using three types of private encryption keys.

Does the application employ any form of data masking or encryption (i.e. Credit Card Number or Social Security Number: ***-**-NNNN)?

Credit cards are not stored in the system. SSN is stored as a text attribute and is not masked but can be hidden.

Is Confidential information (e.g., EPHI, PII, or cardholder data) from the production environment used in any development/test/QA environments?

No.

Is the application hosted within a VMWare environment?

No.

What is the process and technology used for data backups from the application (e.g. file copy, tape backup, journal of transactions or snapshots, etc.)?

Admissions Lab uses Microsoft Data Protection Manager (DPM) to backup to storage. In addition, weekly backups are taken offsite via tape.

Are data backups currently encrypted?

Yes.

If yes, please indicate the encryption algorithms that are used:

Three-key triple DES, AES 128

Are tape back-ups for this application maintained in a secure off-site facility?

Yes.

Do any vendors or other third-parties access the application remotely for support purposes?

Yes. Admissions Lab staff will access the application and data directly for support purposes from remote facilities.

Which connection methods are used to remotely access or support the application?

SSL tunneling

If any vendors or other third-parties access the application remotely for support purposes, is the remote access session encrypted?

Yes. Access to the application is only available via SSL. Access to the data layer is only available through the application.

Have plans for contingencies and disaster recovery for the Information Resources been established?

Yes. If data is lost due to user error, hardware problems, or other environmental issues, recovery is available through backup/restore procedures as described below.

Procedures
Edit section

Admissions Lab System Administrators or Engineers determine that an event has occurred that includes data loss.

The Engineering personnel record information about the nature of the event, the diagnostics that were performed and a list of the clients that were affected. The situation is then escalated immediately to the senior management, Senior Engineers and Senior Support managers.

Each member of this team work specifically on assigned tasks:

Set up a triage to determine, for each client, the extent of data loss caused by the event and what equipment and data can be recovered immediately.

Accumulate the complete configurations for each effected component including the following: server configurations builds, archived data and files, server hardware specifications, security and firewall specifications, local and wide area network (public and private) configurations, applications and environmental (e.g. power/cooling) requirements.

Contact clients with a detailed assessment of the situation and a plan for restoration of data.

Assign dedicated project managers and associated teams (i.e. system and network engineering, professional services personnel) to facilitate the recovery process. One or more of these teams will be assigned to one or more clients, depending on the severity of the event and the size and complexity of the solution.

The teams of technical staff, led by the project managers will then execute the recovery process.

Notification
Edit section

Clients will be contacted immediately by e-mail when Admissions Lab detects a loss of data or is notified by a user about the loss of data due to user error.

Subsequent contacts will be made on a daily basis to ensure that each client is kept abreast of every development regarding the recovery/restoration of data.

 

Has the Recovery Time Objective (RTO is defined as the amount of time it takes to recover a system) been established?

No. Given the differing and changing client configurations and requirements, no specific RTO SLA is established at this time.

Has the Recovery Point Objective (RPO is defined as the maximum data loss the business can incur in an event) been established?

Yes. Full backups are taken every two weeks, with daily differential backups. Client data loss would be therefore be very limited and predictable based on the point of failure.

Do the backup requirements for the system and data support the established RTO and RPO requirements?

Yes. Monitoring, backup and notification procedures are assessed to be sufficiently robust to meet both the RTO and RPO requirements in Admissions Lab policy statements.


Comments