Documentation
HECVAT Lite v3.0.6
Application/Service Security
HLAP-02

Question HLAP-02

Are access controls for staff within your organization based on structured rules, such as RBAC, ABAC, or PBAC?

Weight15
High RiskNo
RequiredYes
Compliant AnswerYes

Standard Guidance

This includes system administrators and third party personnel with access to the system. PBAC would include various dynamic controls such as conditional access, risk-based access, location-based access, or system activity based access.

Answering "NO"

Describe any limitations that prevent support for RBAC within your organization.

Answering "YES"

EDUCAUSE provides no guidance here

Reason for Question

Managing a software/product/service may rely on various professionals to administrate a system. This question is focused on how administration, and the segregation of functions, is implemented within the vendor's infrastructure.

Follow-Up Inquiries

Managing a complex infrastructure requires diligence in protecting access and authority. Unsatisfactory responses may indicate the lack of maturity with a vendor and/or a flat infrastructure with few individuals with broad authority. Inquire about separation of duties and look for areas of inappropriate functional overlap.

HECVAT Pro Advice

[Add expert insights and best practices]

Implementation Tips

[Add practical steps for SME SaaS vendors]

FAQ

[Add common questions related to this HECVAT item]

Resources

[Add links to relevant articles or tools]