GNRL-03

Solution Description

Explanation

The 'Solution Description' question in the HECVAT (Higher Education Community Vendor Assessment Toolkit) is asking you to provide a comprehensive overview of your product or service. This question serves as an introduction to your solution so that security assessors can understand what they're evaluating. This question is being asked in a security assessment for several important reasons: 1. Context Setting: It helps the assessor understand the scope and purpose of what they're evaluating, which informs how they interpret other security controls. 2. Risk Assessment: Different types of solutions carry different inherent risks. For example, a solution that processes sensitive student data has different risk considerations than one that manages facility maintenance schedules. 3. Architecture Understanding: How your solution is designed and deployed (cloud-based, on-premises, hybrid) affects its security profile and what controls are relevant. 4. Data Flow Mapping: Understanding what your solution does helps assessors map how data flows through it, which is critical for security analysis. When answering this question, you should: - Clearly describe what your product or service does in non-technical language - Explain the deployment model (SaaS, on-premises, etc.) - Mention what types of data it handles - Briefly note any key security features - Include the primary use case for higher education institutions Avoid using excessive technical jargon or marketing language. Focus on providing a clear, factual description that helps security professionals understand what they're assessing.

Example Responses

Example Response 1

LearnSpace is a cloud-based learning management system (LMS) that enables educational institutions to deliver online courses, manage student assignments, and track academic progress The solution is deployed as a Software-as-a-Service (SaaS) application hosted in AWS data centers with SOC 2 Type II compliance LearnSpace processes student enrollment data, course materials, grades, and communication between instructors and students The system features role-based access controls, end-to-end encryption for all data in transit and at rest, and integrates with institutional identity providers via SAML 2.0 for single sign-on capabilities Higher education institutions typically use LearnSpace to support both fully online courses and as a supplement to traditional classroom instruction.

Example Response 2

SecureExam is an on-premises examination proctoring solution that provides secure testing environments for academic assessments The system consists of a central server component installed on the institution's infrastructure and client applications that run on student devices during exams SecureExam monitors student activity through webcam recording, screen capture, and browser lockdown features to prevent academic dishonesty The solution processes student identification information, exam content, and behavioral monitoring data All data is stored locally within the institution's infrastructure, with optional encrypted backups to institution-managed cloud storage Universities and colleges primarily use SecureExam for high-stakes testing in both physical testing centers and remote examination scenarios where maintaining academic integrity is critical.

Example Response 3

CampusConnect is a mobile application that provides campus navigation and event information to students Our solution is available on iOS and Android platforms and connects to a simple backend hosted on Microsoft Azure The app allows students to view campus maps, check dining hall menus, and receive notifications about campus events While we do collect basic user information such as names and email addresses, we do not process any sensitive personal data, academic records, or financial information The application is primarily used by higher education institutions to improve student engagement and campus communication Note: Our solution does not currently implement data encryption at rest, and we are in the process of developing a more comprehensive security program as we grow beyond our initial startup phase.

Context

Tab
IT Accessibility
Category
General Information

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron