Question HLTP-01
Will institutional data be shared with or hosted by any third parties? (e.g., any entity not wholly owned by your company is considered a third party)
| Weight | 0 |
| High Risk | No |
| Required | Yes |
| Compliant Answer | No |
Standard Guidance
The institution views hosted solutions such as AWS, Rackspace, Azure, and other PaaS/SaaS offerings as third parties. If services such as these are used in your environment, respond "Yes."
Answering "NO"
No need to answer HLTP-02 through 04
Answering "YES"
State each third party that institutional data will be shared with and/or hosted by and their level of responsibility.
Reason for Question
Management networks and end-user networks are often exclusive, with the intent of limiting access to elevated authorization tools. When a vendor states these networks are merged in operation, it should be met with elevated levels of concern. The focus of this question is to verify a common best practice in system management, allowing an institution to gain insight into a vendor's operating environment.
Follow-Up Inquiries
Verify if the vendor's practice is constrained by a technology or if it is just a best practice that is not adopted. In the case of constraints, ask for additional best practice implementation strategies that may compensate for the elevated risk(s).
HECVAT Pro Advice
[Add expert insights and best practices]
Implementation Tips
[Add practical steps for SME SaaS vendors]
FAQ
[Add common questions related to this HECVAT item]
Resources
[Add links to relevant articles or tools]