Question HLSY-04
Have your systems and applications had a third-party security assessment completed in the past year?
| Weight | 15 |
| High Risk | No |
| Required | Yes |
| Compliant Answer | Yes |
Standard Guidance
EDUCAUSE provides no guidance here
Answering "NO"
State plans to have your systems and applications assessed by a third party.
Answering "YES"
Provide the results with this document (link or attached), if possible. State the date of the last completed third-party security assessment.
Reason for Question
External verification of system and application security controls are important when managing a system. Trust, but verify, is the focus of this question. HECVAT responses are taken at face value and verified within reason, in most cases. When a vendor can attest to and provide externally provided evidence supporting that attestation, it goes a long way in building trust that the vendor will appropriately protect institutional data.
Follow-Up Inquiries
Ask if there has ever been a vulnerability scan. A short lapse in external assessment validity can be understood (if there is a planned assessment), but a significant time lapse or none whatsoever is cause for elevated levels of concern.
HECVAT Pro Advice
[Add expert insights and best practices]
Implementation Tips
[Add practical steps for SME SaaS vendors]
FAQ
[Add common questions related to this HECVAT item]
Resources
[Add links to relevant articles or tools]