HECVAT Category
Required Questions
Required Questions covers controls and questions related to that domain. It outlines expectations institutions typically require from vendors. The category helps assess risk posture and operational maturity. It provides structure for consistent evaluation during security reviews.
Assessment Questions
Are you providing consulting services?
This question is asking whether your organization provides consulting services as part of your business offerings. In a security assessment context, this is important because consulting services often involve different security considerations compared to software products or other services.
Does your solution process protected health information (PHI) or any data covered by the Health Insurance Portability and Accountability Act (HIPAA)?
This question is asking whether your software solution or service processes Protected Health Information (PHI) as defined by the Health Insurance Portability and Accountability Act (HIPAA).
Is the solution designed to process, store, or transmit credit card information?
This question is asking whether your software solution is designed to handle credit card information at any point in its operation. This includes processing transactions, storing credit card numbers/details, or transmitting this information between systems.
Does operating your solution require the institution to operate a physical or virtual appliance in their own environment or to provide inbound firewall exceptions to allow your employees to remotely administer systems in the institution's environment?
This question is asking whether your solution requires the institution to:
ResponseHub is the product I wish I had when I was a CTO
Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.
As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!
I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.
