Question OPCH-04
Do procedures exist to provide that emergency changes are documented and authorized (including after-the-fact approval)?
| Weight | 15 |
| High Risk | No |
| Required | Yes |
| Compliant Answer | Yes |
Standard Guidance
EDUCAUSE provides no guidance here
Answering "NO"
Describe plans to implement procedure ensuring that emergency changes are documented and authorized.
Answering "YES"
Summarize implemented procedures ensuring that emergency changes are documented and authorized.
Reason for Question
In the context of the CIA triad, this question is focused on system integrity, ensuring that system changes are only executed by authorized users. In the event of emergency changes, accountability and post-action review is expected.
Follow-Up Inquiries
Follow up with a robust question set if a vendor cannot clearly state full control of the integrity of their system(s).
HECVAT Pro Advice
[Add expert insights and best practices]
Implementation Tips
[Add practical steps for SME SaaS vendors]
FAQ
[Add common questions related to this HECVAT item]
Resources
[Add links to relevant articles or tools]