HECVAT Category
Policies, Processes, and Procedures
Policies, Processes, and Procedures covers controls and questions related to that domain. It outlines expectations institutions typically require from vendors. The category helps assess risk posture and operational maturity. It provides structure for consistent evaluation during security reviews.
Assessment Questions
Do you have a documented patch management process?
This question is asking whether your organization has a formal, documented process for managing software patches across your systems. A patch management process outlines how your organization identifies, tests, approves, deploys, and verifies security patches and software updates.
Can your organization comply with institutional policies on privacy and data protection with regard to users of institutional systems, if required?
This question is asking whether your organization can adhere to the specific privacy and data protection policies that the institution (the potential client) has established for protecting their users' data.
Is your company subject to the institution's geographic region's laws and regulations?
This question is asking whether your company operates under and complies with the laws and regulations of the geographic region where the institution (the organization conducting the assessment) is located.
Can you accommodate encryption requirements using open standards?
This question is asking whether your organization can implement encryption using open standards rather than proprietary encryption methods.
Do you have a documented systems development life cycle (SDLC)?
This question is asking whether your organization has a formal, documented Systems Development Life Cycle (SDLC) process. An SDLC is a framework that defines the process used to build an information system, including the required steps and tasks from initial conception through to deployment, maintenance, and eventual retirement of the system.
Do you perform background screenings or multi-state background checks on all employees prior to their first day of work?
This question is asking whether your organization conducts background checks on employees before they start working. Background screenings typically include verification of criminal records, employment history, education credentials, and sometimes credit history. 'Multi-state' refers to checking records across multiple states, not just the employee's current state of residence.
Do you require new employees to fill out agreements and review policies?
This question is asking whether your organization has a formal process requiring new employees to read, understand, and acknowledge company policies and sign relevant agreements when they join the company. These typically include confidentiality agreements, acceptable use policies, security policies, code of conduct, and other employment-related documents.
Do you have a documented information security policy?
This question is asking whether your organization has a formal, written document that outlines your approach to information security. An information security policy is a foundational document that establishes the organization's security objectives, principles, roles, responsibilities, and requirements.
Are information security principles designed into the product lifecycle?
This question is asking whether security considerations are integrated throughout your product development lifecycle, rather than being added as an afterthought. It's about 'security by design' - embedding security practices from the initial concept phase through development, testing, deployment, and maintenance.
Will you comply with applicable breach notification laws?
This question is asking whether your organization will adhere to laws and regulations that require notification of affected parties when a data breach occurs. Breach notification laws exist at various levels (state, federal, international) and typically mandate that organizations inform individuals and/or regulatory authorities when personal data has been compromised. These laws specify timeframes (often 24-72 hours), what information must be disclosed, and to whom.
Do you have an information security awareness program?
This question is asking whether your organization has a formal program to educate employees about information security risks, best practices, and their responsibilities in protecting data and systems.
Is security awareness training mandatory for all employees?
This question is asking whether your organization requires all employees to complete security awareness training. Security awareness training educates employees about cybersecurity threats, best practices, and their responsibilities in protecting organizational data and systems.
Do you have process and procedure(s) documented, and currently followed, that require a review and update of the access list(s) for privileged accounts?
This question is asking whether your organization has documented processes for reviewing and updating who has privileged access to your systems, and whether you're actually following these processes.
Do you have documented, and currently implemented, internal audit processes and procedures?
This question is asking whether your organization has formalized, documented internal audit processes that are actively being followed, not just written down and forgotten.
Does your organization have physical security controls and policies in place?
This question is asking whether your organization has implemented physical security measures and documented policies to protect physical assets, facilities, and data from unauthorized access, theft, damage, or other physical threats.
ResponseHub is the product I wish I had when I was a CTO
Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.
As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!
I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.
