Question VULN-01
Are your systems and applications regularly scanned externally for vulnerabilities?
| Weight | 15 |
| High Risk | No |
| Required | Yes |
| Compliant Answer | Yes |
Standard Guidance
EDUCAUSE provides no guidance here
Answering "NO"
Describe any plans to implement external vulnerability scanning for your applications.
Answering "YES"
Decribe your external application vulnerability scanning strategy.
Reason for Question
External verification of application security controls is important when managing a system. Trust, but verify, is the focus of this question. HECVAT responses are taken at face value and verified within reason, in most cases. When a vendor can attest to and provide externally provided evidence supporting that attestation, it goes a long way in building trust that the vendor will appropriately protect institutional data.
Follow-Up Inquiries
If "No," inquire if there has ever been a vulnerability scan. A short lapse in external assessment validity can be understood (if there is a planned assessment), but a significant time lapse or none whatsoever is cause for elevated levels of concern.
HECVAT Pro Advice
[Add expert insights and best practices]
Implementation Tips
[Add practical steps for SME SaaS vendors]
FAQ
[Add common questions related to this HECVAT item]
Resources
[Add links to relevant articles or tools]