HECVAT Category
Policies, Processes, and Procedures
Policies, Processes, and Procedures covers controls and questions related to that domain. It outlines expectations institutions typically require from vendors. The category helps assess risk posture and operational maturity. It provides structure for consistent evaluation during security reviews.
Assessment Questions
Do you have a documented patch management process?
Patch management documentation is what's being checked: the institution wants a formal, written process for applying software patches across your systems. A patch management process outlines how your organization identifies, tests, approves, deploys, and verifies security patches and software updates.
Can your organization comply with institutional policies on privacy and data protection with regard to users of institutional systems, if required?
Institutions need confidence that you can adhere to their own privacy and data protection policies for the users of their systems whenever that is required.
Is your company subject to the institution's geographic region's laws and regulations?
Jurisdiction is what's being established here: whether your company operates under and complies with the laws and regulations of the region where the assessing institution sits.
Can you accommodate encryption requirements using open standards?
Open-standards encryption is the crux here, and whether you can meet a customer's encryption needs without relying on proprietary methods.
Do you have a documented systems development life cycle (SDLC)?
Engineering discipline is under examination: reviewers want to see a formal, documented Systems Development Life Cycle (SDLC) that governs how your software is built. An SDLC is a framework that defines the process used to build an information system, including the required steps and tasks from initial conception through to deployment, maintenance, and eventual retirement of the system.
Do you perform background screenings or multi-state background checks on all employees prior to their first day of work?
Pre-employment vetting is the concern behind this question, specifically whether you run background screenings or multi-state checks on every employee before their first day. Background screenings typically include verification of criminal records, employment history, education credentials, and sometimes credit history. 'Multi-state' refers to checking records across multiple states, not just the employee's current state of residence.
Do you require new employees to fill out agreements and review policies?
Onboarding controls are what's being checked here: the concern is whether new hires must review your policies and sign the relevant agreements before they start. These typically include confidentiality agreements, acceptable use policies, security policies, code of conduct, and other employment-related documents.
Do you have a documented information security policy?
Enterprise buyers want confirmation that you maintain a formal, written document setting out your overall approach to information security. An information security policy is a foundational document that establishes the organization's security objectives, principles, roles, responsibilities, and requirements.
Are information security principles designed into the product lifecycle?
Security-by-design is what reviewers are probing: they want assurance that security principles are built into the product lifecycle from the start rather than bolted on later. It's about 'security by design' - embedding security practices from the initial concept phase through development, testing, deployment, and maintenance.
Will you comply with applicable breach notification laws?
Breach notification obligations are what's being tested: this asks whether you will comply with the laws requiring you to notify affected parties when a data breach occurs. Breach notification laws exist at various levels (state, federal, international) and typically mandate that organizations inform individuals and/or regulatory authorities when personal data has been compromised. These laws specify timeframes (often 24-72 hours), what information must be disclosed, and to whom.
Do you have an information security awareness program?
Security awareness is the subject here, specifically whether you run a structured program that teaches employees about risks, good practices, and their role in protecting data and systems.
Is security awareness training mandatory for all employees?
Mandatory security awareness training is the focus here: whether every employee, without exception, is required to complete it. Security awareness training educates employees about cybersecurity threats, best practices, and their responsibilities in protecting organizational data and systems.
Do you have process and procedure(s) documented, and currently followed, that require a review and update of the access list(s) for privileged accounts?
Privileged access reviews sit at the center of this requirement, which probes whether you have documented processes for revisiting who holds elevated rights and whether you actually follow them.
Do you have documented, and currently implemented, internal audit processes and procedures?
Internal audit maturity is what reviewers are checking: they want documented audit processes and procedures that are genuinely in use rather than merely written and shelved.
Does your organization have physical security controls and policies in place?
Protecting facilities and equipment from physical threats sits at the core of this requirement, which looks for both implemented physical security controls and documented policies covering them.
ResponseHub is the product I wish I had when I was a CTO
Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.
As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!
I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

