Documentation
HECVAT Full v3.0.6
Change Management
CHNG-11

Question CHNG-11

Do you have policy and procedure, currently implemented, guiding how security risks are mitigated until patches can be applied?

Weight20
High RiskNo
RequiredYes
Compliant AnswerYes

Standard Guidance

EDUCAUSE provides no guidance here

Answering "NO"

State your plans to implement policy and procedure(s) guiding risk mitigation practices before critical patches can be applied.

Answering "YES"

Summarize the policy and procedure(s) guiding risk mitigation practices before critical patches can be applied.

Reason for Question

New vulnerabilities are published every day, and vendors have a responsibility to maintain their software(s). The fundamental nature of operation will expose some risks to the system, but it is crucial that a vendor recognize their responsibilities and have a plan to implement them, when this time arrives.

Follow-Up Inquiries

Follow-up inquiries for the vendors patching practices will be institution/implementation specific.

HECVAT Pro Advice

[Add expert insights and best practices]

Implementation Tips

[Add practical steps for SME SaaS vendors]

FAQ

[Add common questions related to this HECVAT item]

Resources

[Add links to relevant articles or tools]