Question DOCU-04
Do you conform with a specific industry standard security framework? (e.g., NIST Cybersecurity Framework, CIS Controls, ISO 27001, etc.)
| Weight | 25 |
| High Risk | Yes |
| Required | Yes |
| Compliant Answer | Yes |
Standard Guidance
EDUCAUSE provides no guidance here
Answering "NO"
Describe any plans to conform to an industry standard security framework.
Answering "YES"
Provide documentation on how your organization conforms to your chosen framework and indicate current certification levels, where appropriate.
Reason for Question
The details of the standard are not the focus here; it is the fact that a vendor builds their environment around a standard and that they continually evaluate and assess their security programs.
Follow-Up Inquiries
In an ideal world, a vendor will conform to an industry framework that is adopted by an institution. When this synergy does not exist, the interpretation of the vendor's responses must be interpreted in the context of the institution's environment. Follow-up inquires for industry frameworks (and levels of adoption) will be institution/implementation specific.
HECVAT Pro Advice
[Add expert insights and best practices]
Implementation Tips
[Add practical steps for SME SaaS vendors]
FAQ
[Add common questions related to this HECVAT item]
Resources
[Add links to relevant articles or tools]