Documentation
HECVAT Full v3.0.6
Documentation
DOCU-04

Question DOCU-04

Do you conform with a specific industry standard security framework? (e.g., NIST Cybersecurity Framework, CIS Controls, ISO 27001, etc.)

Weight20
High RiskNo
RequiredYes
Compliant AnswerYes

Standard Guidance

EDUCAUSE provides no guidance here

Answering "NO"

Describe any plans to conform to an industry standard security framework.

Answering "YES"

Provide documentation on how your organization conforms to your chosen framework and indicate current certification levels, where appropriate.

Reason for Question

The details of the standard are not the focus here; it is the fact that a vendor builds their environment around a standard and that they continually evaluate and assess their security programs.

Follow-Up Inquiries

In an ideal world, a vendor will conform to an industry framework that is adopted by an institution. When this synergy does not exist, the interpretation of the vendor's responses must be interpreted in the context of the institution's environment. Follow-up inquires for industry frameworks (and levels of adoption) will be institution/implementation specific.

HECVAT Pro Advice

[Add expert insights and best practices]

Implementation Tips

[Add practical steps for SME SaaS vendors]

FAQ

[Add common questions related to this HECVAT item]

Resources

[Add links to relevant articles or tools]