Question VULN-06
Will you allow the institution to perform its own vulnerability testing and/or scanning of your systems and/or application, provided that testing is performed at a mutually agreed upon time and date?
| Weight | 25 |
| High Risk | Yes |
| Required | Yes |
| Compliant Answer | Yes |
Standard Guidance
EDUCAUSE provides no guidance here
Answering "NO"
Provide a brief summary for your response.
Answering "YES"
Provide reference to the process or procedure to setup security testing times and scopes.
Reason for Question
Many higher education institutions are capable of performing vulnerability assessments and/or penetration testing on their vendors' infrastructures. This question confirms the possibility of conducting these actions against the vendor's infrastructure.
Follow-Up Inquiries
Follow-up inquiries for vulnerability scanning and penetration testing will be institution/implementation specific.
HECVAT Pro Advice
[Add expert insights and best practices]
Implementation Tips
[Add practical steps for SME SaaS vendors]
FAQ
[Add common questions related to this HECVAT item]
Resources
[Add links to relevant articles or tools]