Documentation
HECVAT Full v3.0.6
Vulnerability Scanning
VULN-02

Question VULN-02

Have your systems and applications had a third-party security assessment completed in the last year?

Weight20
High RiskNo
RequiredNo
Compliant AnswerYes

Standard Guidance

EDUCAUSE provides no guidance here

Answering "NO"

State plans to have your systems and applications assessed by a third party.

Answering "YES"

Provide the results with this document (link or attached), if possible. State the date of the last completed third-party security assessment.

Reason for Question

External verification of system and application security controls are important when managing a system. Trust, but verify, is the focus of this question. HECVAT responses are taken at face value and verified within reason, in most cases. When a vendor can attest to and provide externally provided evidence supporting that attestation, it goes a long way in building trust that the vendor will appropriately protect institutional data.

Follow-Up Inquiries

Ask if there has ever been a vulnerability scan. A short lapse in external assessment validity can be understood (if there is a planned assessment), but a significant time lapse or none whatsoever is cause for elevated levels of concern.

HECVAT Pro Advice

[Add expert insights and best practices]

Implementation Tips

[Add practical steps for SME SaaS vendors]

FAQ

[Add common questions related to this HECVAT item]

Resources

[Add links to relevant articles or tools]