GNRL-03

Solution Description

Explanation

The 'Solution Description' question in the HECVAT (Higher Education Community Vendor Assessment Toolkit) is asking you to provide a comprehensive overview of your product or service. This question serves as a foundational element of the security assessment, allowing the evaluating institution to understand what your solution does, how it works, and what security considerations might be relevant based on its functionality. This question is being asked because security risks and requirements vary significantly depending on the nature of the solution. For example, a cloud-based student information system that processes sensitive student data has different security implications than a digital signage management tool. By understanding what your solution does, security assessors can better contextualize the rest of your responses and identify potential security concerns specific to your type of solution. When answering this question, you should: 1. Provide a clear, concise description of your product or service 2. Explain the core functionality and purpose 3. Mention the technical architecture at a high level (cloud-based, on-premises, hybrid, etc.) 4. Identify the types of data your solution typically handles 5. Note any integrations with other systems that might be relevant 6. Highlight any security-relevant features built into the solution Avoid using excessive marketing language or technical jargon without explanation. The goal is to help the assessor understand what your solution does in practical terms, not to sell them on its benefits.

Example Responses

Example Response 1

SecureLearn is a cloud-based Learning Management System (LMS) designed specifically for higher education institutions The solution provides course management, content delivery, student assessment, and communication tools for faculty and students SecureLearn is hosted on AWS infrastructure in the US-East region with database replication to US-West for disaster recovery purposes The application follows a multi-tenant architecture where each institution's data is logically separated within our database structure The solution processes academic content, student submission data, grades, and limited personal information (names, email addresses, and institutional IDs) SecureLearn integrates with common Single Sign-On providers (SAML 2.0 compatible), Student Information Systems via API, and third-party plagiarism detection tools Security features include role-based access controls, all data encrypted at rest and in transit, and comprehensive audit logging of all system activities.

Example Response 2

DataVault is an on-premises research data management platform that helps universities securely store, process, and analyze sensitive research data The solution consists of a central management server and client applications that can be installed on research workstations DataVault supports secure storage of various data types including human subject research data, proprietary research information, and large datasets from scientific instruments The system implements a hierarchical storage architecture with hot storage for active projects and cold storage for archived data Security is built into the core of DataVault with features including end-to-end encryption, granular permission controls, comprehensive data provenance tracking, and automated compliance reporting for common research data regulations (HIPAA, GDPR, etc.) The solution can integrate with institutional identity management systems and high-performance computing environments through our secure API gateway.

Example Response 3

CampusConnect is a mobile application platform that enhances student engagement through campus event management, peer-to-peer messaging, and campus resource discovery Our solution is cloud-based, utilizing Microsoft Azure services primarily in the North America region The application consists of a mobile frontend (iOS and Android) and a web-based administration portal While we do not process sensitive academic or financial data, we do collect basic user profile information, location data (when explicitly permitted by users), and usage analytics to improve the service Note that our current implementation does not include end-to-end encryption for messaging, and data retention policies are configurable by each institution but default to indefinite retention We're currently developing enhanced security features including message encryption and automated data lifecycle management for our next major release scheduled for Q3 of this year.

Context

Tab
Case-Specific
Category
General Information

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron