Question THRD-01
Do you perform security assessments of third-party companies with which you share data? (e.g., hosting providers, cloud services, PaaS, IaaS, SaaS)
| Weight | 25 |
| High Risk | No |
| Required | No |
| Compliant Answer | Yes |
Standard Guidance
EDUCAUSE provides no guidance here
Answering "NO"
State your plans to perform security assessments of third-party companies.
Answering "YES"
Provide a summary of your practices that assures that the third party will be subject to the appropriate standards regarding security, service recoverability, and confidentiality.
Reason for Question
In the context of the CIA triad, this question is focused on system integrity, ensuring that system changes are only executed by authorized users. Additionally, it is expected that devices (for administrators, vendor staff, and affiliates) that are used to access the vendor's systems are properly managed and secured.
Follow-Up Inquiries
Follow up with a robust question set if the vendor cannot clearly state full control of the integrity of their system(s). Questions about administrator access on end-user devices and other maintenance and patching type questions are appropriate.
HECVAT Pro Advice
[Add expert insights and best practices]
Implementation Tips
[Add practical steps for SME SaaS vendors]
FAQ
[Add common questions related to this HECVAT item]
Resources
[Add links to relevant articles or tools]