Question OPPP-04
Do you have a documented information security policy?
| Weight | 20 |
| High Risk | No |
| Required | Yes |
| Compliant Answer | Yes |
Standard Guidance
EDUCAUSE provides no guidance here
Answering "NO"
State plans to implement information security policy at your company.
Answering "YES"
Provide a reference to your information security policy or submit documentation with this fully populated HECVAT-OnPrem.
Reason for Question
A shared security [responsibility] environment is expected of vendors in today's world. Security offices cannot solely protect an institution's data. Information security, ingrained in an organization, is the best case scenario for the protection of institutional data. Security awareness and practice start in a vendor's policies.
Follow-Up Inquiries
If the vendor does not have document information security policy, follow-up questions about training, company practices, awareness efforts, auditing, and system protection practices are appropriate.
HECVAT Pro Advice
[Add expert insights and best practices]
Implementation Tips
[Add practical steps for SME SaaS vendors]
FAQ
[Add common questions related to this HECVAT item]
Resources
[Add links to relevant articles or tools]