Question COMP-03

Do you have a dedicated Information Security staff or office?

Standard Guidance

EDUCAUSE provides no guidance here

Answering "NO"

Describe any plans to create an Information Security Office for your organization.

Answering "YES"

Describe your Information Security Office, including size, talents, resources, etc.

Reason for Question

Understanding the security program size (and capabilities) of a vendor has a significant impact on their ability to respond effectively to a security incident. The size of a vendor will determine their SO size, or lack thereof. Use the knowledge of this response when evaluating other vendor statements.

Follow-Up Inquiries

Vague responses to this question should be investigated further. Vendors without dedicated security personnel commonly have no security or security is embedded or dual-homed within operations (administrators). Ask about separation of duties, principle of least privilege, etc. There are many ways to get additional program state information from the vendor.

HECVAT Pro Advice

[Add expert insights and best practices]

Implementation Tips

[Add practical steps for SME SaaS vendors]

FAQ

[Add common questions related to this HECVAT item]

Resources

[Add links to relevant articles or tools]