Question PPPR-11

Do you have a documented information security policy?

Standard Guidance

EDUCAUSE provides no guidance here

Answering "NO"

State plans to implement information security policy at your company.

Answering "YES"

Provide a reference to your information security policy or submit documentation with this fully populated HECVAT.

Reason for Question

A shared security [responsibility] environment is expected of vendors in today's world. Security offices cannot solely protect an institution's data. Information security, ingrained in an organization, is the best case scenario for the protection of institutional data. Security awareness and practice start in a vendor's policies. The ability for the vendor to respond effectively (and quickly) to a security incident is of the utmost importance. The size of a vendor's security office will determine their capabilities during a security incident, but the incident response plan will oftentimes determine their effectiveness. Use the knowledge of this response when evaluating other vendor statements, particularly when discussing degraded operation states.

Follow-Up Inquiries

If the vendor does not have an incident response plan, point them to the NIST Computer Security Incident Handling Guide at https://csrc.nist.gov/publications/detail/sp/800-61/rev-2/final (opens in a new tab)

HECVAT Pro Advice

[Add expert insights and best practices]

Implementation Tips

[Add practical steps for SME SaaS vendors]

FAQ

[Add common questions related to this HECVAT item]

Resources

[Add links to relevant articles or tools]