Question COMP-03
Do you have a dedicated Information Security staff or office?
Weight | 10 |
High Risk | No |
Required | Yes |
Compliant Answer | Yes |
Standard Guidance
EDUCAUSE provides no guidance here
Answering "NO"
Describe any plans to create an Information Security Office for your organization.
Answering "YES"
Describe your Information Security Office, including size, talents, resources, etc.
Reason for Question
Understanding the security program size (and capabilities) of a vendor has a significant impact on their ability to respond effectively to a security incident. The size of a vendor will determine their SO size or lack thereof. Use the knowledge of this response when evaluating other vendor statements.
Follow-Up Inquiries
Vague responses to this question should be investigated further. Vendors without dedicated security personnel commonly have no security or security is embedded or dual-homed within operations (administrators). Ask about separation of duties, principle of least privilege, etc. There are many ways to get additional program state information from the vendor.
HECVAT Pro Advice
[Add expert insights and best practices]
Implementation Tips
[Add practical steps for SME SaaS vendors]
FAQ
[Add common questions related to this HECVAT item]
Resources
[Add links to relevant articles or tools]