HECVAT Category

Assessment of Third Parties

Assessment of Third Parties covers controls and questions related to that domain. It outlines expectations institutions typically require from vendors. The category helps assess risk posture and operational maturity. It provides structure for consistent evaluation during security reviews.

Assessment Questions

THRD-01

Do you perform security assessments of third-party companies with which you share data (e.g., hosting providers, cloud services, PaaS, IaaS, SaaS)?

Third-party risk is the focus here: reviewers want to know whether you run security assessments of the vendors with which you share data, such as hosting providers and cloud, PaaS, IaaS, and SaaS services. These third parties could include cloud hosting providers (like AWS or Azure), software-as-a-service providers (like Salesforce or Workday), or any other external entity that processes, stores, or transmits your data.

THRD-02

Do you have contractual language in place with third parties governing access to institutional data?

Contractual safeguards are the focus here: assessors want to confirm that your agreements with third parties spell out how those vendors may access, handle, and protect institutional data.

THRD-03

Do the contracts in place with these third parties address liability in the event of a data breach?

At issue here is liability: whether your contracts with third-party vendors spell out who bears responsibility when a data breach involves one of those providers.

THRD-04

Do you have an implemented third-party management strategy?

At issue here is whether your organization runs a formal, documented strategy for managing relationships with third-party vendors and service providers. A third-party management strategy is a framework that defines how your organization evaluates, onboards, monitors, and terminates relationships with external entities that have access to your systems, data, or provide critical services.

THRD-05

Do you have a process and implemented procedures for managing your hardware supply chain (e.g., telecommunications equipment, export licensing, computing devices)?

At issue here is your hardware supply chain, and whether you run defined processes and procedures to manage its security and compliance across telecom gear, computing devices, and export licensing. The hardware supply chain includes all the vendors, manufacturers, and distributors involved in providing the physical computing equipment your organization uses.

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron