GNRL-03

Solution Description

Explanation

The 'Solution Description' question in the HECVAT (Higher Education Community Vendor Assessment Toolkit) is asking you to provide a comprehensive overview of your product or service. This question serves as a foundation for the security assessment by helping the evaluators understand what your solution does, how it works, and what systems or data it might interact with. This question is being asked because security risks can only be properly evaluated in context. The evaluators need to understand your solution's purpose, architecture, and functionality to properly assess the relevance and severity of potential security concerns. For example, a solution that processes sensitive student data would be evaluated differently than one that simply provides informational content. To best answer this question, you should: 1. Clearly describe what your product or service does in functional terms 2. Outline the key components or modules of your solution 3. Explain how users interact with your solution 4. Mention what types of data your solution processes or stores 5. Note any integrations with other systems 6. Describe deployment models (cloud-based, on-premises, hybrid, etc.) 7. Include any relevant technical details that would help evaluators understand security implications Your description should be thorough but concise, focusing on aspects that have security implications. Avoid marketing language and focus on factual information about functionality and architecture.

Example Responses

Example Response 1

CloudGrade is a cloud-based learning management system (LMS) that enables educational institutions to manage course content, student assignments, and grade tracking The solution consists of three main components: (1) a web application for instructors and administrators to create and manage courses, (2) a student portal for accessing course materials and submitting assignments, and (3) a backend database that stores course content, user information, and academic records CloudGrade is hosted on AWS infrastructure using containerized microservices architecture with separate environments for production, staging, and development The solution processes student PII (name, ID, email), academic records, and course materials It integrates with institutional authentication systems via SAML/SSO and can connect to Student Information Systems through a REST API Data is encrypted both in transit (TLS 1.2+) and at rest (AES-256).

Example Response 2

SecureFile is an enterprise document management and collaboration platform designed specifically for higher education research departments Our solution provides secure storage, version control, and collaboration features for sensitive research documents and data sets The platform is deployed as a hybrid solution with core document processing and storage components installed on-premises within the institution's data center, while collaboration features are delivered through our FedRAMP-compliant cloud infrastructure SecureFile handles various data types including research documentation, intellectual property, and potentially sensitive research data The system employs role-based access controls, comprehensive audit logging, and integrates with institutional identity providers through LDAP/Active Directory All data is encrypted using AES-256 encryption, and the solution supports customer-managed encryption keys for maximum control.

Example Response 3

EduAnalytics is a data visualization tool that helps institutions analyze student performance metrics We currently offer this as a desktop application that must be installed on individual computers The application connects directly to your student information database to pull anonymized performance data While we implement basic authentication for database connections, our solution does not yet support encryption for data in transit or at rest We're a small company and currently don't have formal security policies or dedicated security staff, but we're working on improving these aspects The application stores connection credentials locally on each user's machine in a configuration file that is not encrypted We recognize these limitations and are planning security enhancements in our next major release scheduled for next year.

Context

Tab
Infrastructure
Category
General Information

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron