Question HLNT-02
Are you utilizing a stateful packet inspection (SPI) firewall?
| Weight | 40 |
| High Risk | Yes |
| Required | Yes |
| Compliant Answer | Yes |
Standard Guidance
EDUCAUSE provides no guidance here
Answering "NO"
Describe any plans to implement a SPI firewall or your currently implemented compensating controls.
Answering "YES"
Describe the currently implemented SPI firewall.
Reason for Question
The use case, vendor infrastructure, and types of services offered will greatly affect the need for various firewalling devices. The focus of this question is integrity, ensuring that the systems hosting institutional data are limited in need-only communications. The use of a WAF is important in systems in which a vendor has limited access to the to code infrastructure.
Follow-Up Inquiries
If a vendor states that they do not run a SPI firewall, there is elevated reason for concern. Ensure how network traffic is monitored and managed as well as any compensating controls currently implemented.
HECVAT Pro Advice
[Add expert insights and best practices]
Implementation Tips
[Add practical steps for SME SaaS vendors]
FAQ
[Add common questions related to this HECVAT item]
Resources
[Add links to relevant articles or tools]