Question PPPR-02

Do you have a documented patch management process?

Standard Guidance

EDUCAUSE provides no guidance here

Answering "NO"

EDUCAUSE provides no guidance here

Answering "YES"

EDUCAUSE provides no guidance here

Reason for Question

In the context of the CIA triad, this question is focused on system integrity, ensuring that system changes are only executed according to policy. Additionally, it is expected that devices used to access the vendor's systems are properly managed and secured.

Follow-Up Inquiries

Follow up with a robust question set if the vendor cannot clearly state full control of their system patching strategy. Questions about patch testing, testing environments, threat mitigation, incident remediation, etc. are appropriate.

HECVAT Pro Advice

[Add expert insights and best practices]

Implementation Tips

[Add practical steps for SME SaaS vendors]

FAQ

[Add common questions related to this HECVAT item]

Resources

[Add links to relevant articles or tools]