HECVAT Category
Assessment of Third Parties
Assessment of Third Parties covers controls and questions related to that domain. It outlines expectations institutions typically require from vendors. The category helps assess risk posture and operational maturity. It provides structure for consistent evaluation during security reviews.
Assessment Questions
Do you perform security assessments of third-party companies with which you share data (e.g., hosting providers, cloud services, PaaS, IaaS, SaaS)?
This question is asking whether your organization conducts security assessments of third-party vendors that have access to your data. These third parties could include cloud hosting providers (like AWS or Azure), software-as-a-service providers (like Salesforce or Workday), or any other external entity that processes, stores, or transmits your data.
Do you have contractual language in place with third parties governing access to institutional data?
This question is asking whether your organization has formal contractual agreements with any third-party vendors or service providers that specifically address how they can access, handle, and protect your institution's data.
Do the contracts in place with these third parties address liability in the event of a data breach?
This question is asking whether your organization's contracts with third-party vendors or service providers explicitly address who is responsible (liable) if a data breach occurs involving the third party.
Do you have an implemented third-party management strategy?
This question is asking whether your organization has a formal, documented strategy for managing relationships with third-party vendors and service providers. A third-party management strategy is a framework that defines how your organization evaluates, onboards, monitors, and terminates relationships with external entities that have access to your systems, data, or provide critical services.
Do you have a process and implemented procedures for managing your hardware supply chain (e.g., telecommunications equipment, export licensing, computing devices)?
This question is asking whether your organization has established processes and procedures for managing the security and compliance aspects of your hardware supply chain. The hardware supply chain includes all the vendors, manufacturers, and distributors involved in providing the physical computing equipment your organization uses.
ResponseHub is the product I wish I had when I was a CTO
Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.
As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!
I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.
