Question HLTP-02

Do you perform security assessments of third-party companies with which you share data? (e.g., hosting providers, cloud services, PaaS, IaaS, SaaS)

Standard Guidance

Ensure that all elements of HLTP-01 are clearly stated in your response.

Answering "NO"

State your plans to perform security assessments of third party companies.

Answering "YES"

Provide a summary of your practices that assures that the third party will be subject to the appropriate standards regarding security, service recoverability, and confidentiality.

Reason for Question

In the context of the CIA triad, this question is focused on system integrity, ensuring that system changes are only executed by authorized users. Additionally, it is expected that devices (for administrators, vendor staff, and affiliates) that are used to access the vendor's systems are properly managed and secured.

Follow-Up Inquiries

Follow up with a robust question set if the vendor cannot clearly state full control of the integrity of their system(s). Questions about administrator access on end-user devices and other maintenance and patching type questions are appropriate.

HECVAT Pro Advice

[Add expert insights and best practices]

Implementation Tips

[Add practical steps for SME SaaS vendors]

FAQ

[Add common questions related to this HECVAT item]

Resources

[Add links to relevant articles or tools]