Question FIDP-01
Are you utilizing a stateful packet inspection (SPI) firewall?
| Weight | 25 |
| High Risk | Yes |
| Required | Yes |
| Compliant Answer | Yes |
Standard Guidance
EDUCAUSE provides no guidance here
Answering "NO"
Describe any plans to implement a SPI firewall.
Answering "YES"
Describe the currently implemented SPI firewall.
Reason for Question
The use case, vendor infrastructure, and types of services offered will greatly affect the need for various firewalling devices. The focus of this question is integrity, ensuring that the systems hosting institutional data are limited in need-only communications. The use of a WAF is important in systems in which a vendor has limited access to the to code infrastructure.
Follow-Up Inquiries
If a vendor states that they outsource their code development and do not run a WAF, there is elevated reason for concern. Verify how code is tested, monitored, and controlled in production environments.
HECVAT Pro Advice
[Add expert insights and best practices]
Implementation Tips
[Add practical steps for SME SaaS vendors]
FAQ
[Add common questions related to this HECVAT item]
Resources
[Add links to relevant articles or tools]