Question CHNG-11
Do you have policy and procedure, currently implemented, guiding how security risks are mitigated until patches can be applied?
| Weight | 20 |
| High Risk | No |
| Required | Yes |
| Compliant Answer | Yes |
Standard Guidance
EDUCAUSE provides no guidance here
Answering "NO"
State your plans to implement policy and procedure(s) guiding risk mitigation practices before critical patches can be applied.
Answering "YES"
Summarize the policy and procedure(s) guiding risk mitigation practices before critical patches can be applied.
Reason for Question
New vulnerabilities are published every day, and vendors have a responsibility to maintain their software(s). The fundamental nature of operation will expose some risks to the system, but it is crucial that a vendor recognize their responsibilities and have a plan to implement them, when this time arrives.
Follow-Up Inquiries
Follow-up inquiries for the vendors patching practices will be institution/implementation specific.
HECVAT Pro Advice
[Add expert insights and best practices]
Implementation Tips
[Add practical steps for SME SaaS vendors]
FAQ
[Add common questions related to this HECVAT item]
Resources
[Add links to relevant articles or tools]