HECVAT Category
Datacenter
Datacenter covers controls and questions related to that domain. It outlines expectations institutions typically require from vendors. The category helps assess risk posture and operational maturity. It provides structure for consistent evaluation during security reviews.
Assessment Questions
Select your hosting option.
This question is asking about where and how your application or service is hosted - essentially, where your servers and data physically or virtually reside. In a security assessment like HECVAT (Higher Education Cloud Vendor Assessment Tool), this information is crucial because different hosting models present different security considerations, risks, and compliance requirements.
Is a SOC 2 Type 2 report available for the hosting environment?
This question is asking whether a SOC 2 Type 2 audit report is available for the datacenter or hosting environment where your service/application runs.
Are you generally able to accommodate storing each institution's data within its geographic region?
This question is asking whether your service can store an institution's data within the specific geographic region where that institution is located. This is important for several reasons:
Are the data centers staffed 24 hours a day, seven days a week (i.e., 24 x 7 x 365)?
This question is asking whether your data centers have personnel physically present at all times, without any gaps in coverage.
Are your servers separated from other companies via a physical barrier, such as a cage or hard walls?
This question is asking whether your organization's physical servers are isolated from other companies' equipment within a datacenter through physical barriers like cages or hard walls.
Does a physical barrier fully enclose the physical space, preventing unauthorized physical contact with any of your devices?
This question is asking whether your datacenter or server room has complete physical barriers (like walls, fences, or security enclosures) that prevent unauthorized individuals from physically touching, tampering with, or accessing your computing equipment.
Are your primary and secondary data centers geographically diverse?
This question is asking whether your organization maintains primary and secondary data centers that are located in different geographic regions. Geographic diversity in data centers is a critical aspect of disaster recovery and business continuity planning.
Is the service hosted in a high-availability environment?
This question is asking whether your service is hosted in an environment designed to minimize downtime and service disruptions. A high-availability (HA) environment includes redundant components, systems, and infrastructure to ensure continuous operation even when individual components fail.
Is redundant power available for all data centers where institutional data will reside?
This question is asking whether your data centers have backup power systems in place to ensure continuous operation during power outages or disruptions.
Are redundant power strategies tested?
This question is asking whether your organization tests the backup power systems in your datacenter to ensure they work properly when needed. Redundant power strategies refer to backup power systems like uninterruptible power supplies (UPS), generators, or multiple power feeds that keep your datacenter operational during power outages.
Does the center where the data will reside have cooling and fire-suppression systems that are active and regularly tested?
This question is asking whether the data center facility has proper cooling and fire-suppression systems that are not only installed but also actively maintained and regularly tested.
Do you have Internet Service Provider (ISP) redundancy?
This question is asking whether your organization has multiple Internet Service Providers (ISPs) to ensure continuous internet connectivity even if one provider experiences an outage.
Does every data center where the institution's data will reside have multiple telephone company or network provider entrances to the facility?
This question is asking whether each data center that will store the institution's data has multiple connections to telephone companies or network service providers entering the facility.
Do you require multifactor authentication for all administrative accounts in your environment?
This question is asking whether your organization requires multiple forms of authentication (multifactor authentication or MFA) for administrative accounts that have privileged access to your datacenter environment.
Are you using your cloud provider's available hardening tools or pre-hardened images?
This question is asking whether your organization utilizes the security hardening features provided by your cloud service provider (CSP) to strengthen your cloud infrastructure.
Does your cloud solution provider have access to your encryption keys?
This question is asking whether your cloud service provider (CSP) has access to the encryption keys that protect your data stored in their cloud environment. Encryption keys are digital credentials that control the ability to decrypt encrypted data. If your CSP has access to these keys, they could potentially decrypt and access your data.
ResponseHub is the product I wish I had when I was a CTO
Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.
As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!
I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.
