HECVAT Category
Firewalls, IDS, IPS, and Networking
Firewalls, IDS, IPS, and Networking covers controls and questions related to that domain. It outlines expectations institutions typically require from vendors. The category helps assess risk posture and operational maturity. It provides structure for consistent evaluation during security reviews.
Assessment Questions
Are you utilizing a stateful packet inspection (SPI) firewall?
Network perimeter defense is what's being checked, specifically whether your infrastructure relies on a stateful packet inspection (SPI) firewall.
Do you have a documented policy for firewall change requests?
Firewall change governance is the focus here, specifically whether a documented policy controls how firewall changes are requested, approved, implemented, and recorded.
Have you implemented an intrusion detection system (network-based)?
Network monitoring is the subject of this control, asking whether you have deployed a network-based intrusion detection system to spot malicious traffic.
Do you employ host-based intrusion detection?
Host-based intrusion detection is the topic: whether you run HIDS agents on servers, workstations, and other endpoints to spot malicious activity at the device level.
Are audit logs available for all changes to the network, firewall, IDS, and IPS systems?
Auditability of network and security device changes is what reviewers want to see, meaning detailed logs of every modification to firewalls, IDS, and IPS systems.
Is authority for firewall change approval documented? Please list approver names or titles in Additional Info.
Reviewers want documented accountability for firewall changes, including a formal approval process and a clear record of who holds the authority to approve them.
Have you implemented an intrusion prevention system (network-based)?
Network defense is what's being checked, specifically whether you have deployed a network-based intrusion prevention system (IPS).
Do you employ host-based intrusion prevention?
Host-based intrusion prevention is the subject: whether you run HIPS on your servers, workstations, or other endpoints to block threats at the device level.
Are you employing any next-generation persistent threat (NGPT) monitoring?
Advanced threat detection is in scope here: whether you employ next-generation persistent threat (NGPT) monitoring built to catch sophisticated attacks that ordinary controls miss.
Is intrusion monitoring performed internally or by a third-party service?
How intrusion monitoring gets staffed is the point here: assessors want to know whether you run it in-house, hand it to a third-party provider, or blend the two.
Do you monitor for intrusions on a 24 x 7 x 365 basis?
Around-the-clock vigilance is the expectation here: institutions want confirmation that you monitor for intrusions continuously, 24 hours a day, every day of the year. '24 x 7 x 365' means 24 hours a day, 7 days a week, 365 days a year - essentially, without any gaps in coverage.
ResponseHub is the product I wish I had when I was a CTO
Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.
As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!
I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

