HECVAT Category

Required Questions

Required Questions covers controls and questions related to that domain. It outlines expectations institutions typically require from vendors. The category helps assess risk posture and operational maturity. It provides structure for consistent evaluation during security reviews.

Assessment Questions

REQU-03

Are you providing consulting services?

At issue here is simply whether your organization offers consulting services as part of what you provide. In a security assessment context, this is important because consulting services often involve different security considerations compared to software products or other services.

REQU-05

Does your solution process protected health information (PHI) or any data covered by the Health Insurance Portability and Accountability Act (HIPAA)?

HIPAA scope is what's being established: whether your solution processes Protected Health Information (PHI) as defined under the Health Insurance Portability and Accountability Act.

REQU-06

Is the solution designed to process, store, or transmit credit card information?

At issue is whether the solution is designed to process, store, or transmit credit card information in any way. This includes processing transactions, storing credit card numbers/details, or transmitting this information between systems.

REQU-07

Does operating your solution require the institution to operate a physical or virtual appliance in their own environment or to provide inbound firewall exceptions to allow your employees to remotely administer systems in the institution's environment?

Deployment footprint is what's being clarified here: whether running your solution forces the institution to host an appliance on-site or open inbound firewall exceptions so your staff can administer systems remotely. Install and maintain any physical hardware or virtual appliances within their network environment, or

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron