HECVAT Category
Data
Data covers controls and questions related to that domain. It outlines expectations institutions typically require from vendors. The category helps assess risk posture and operational maturity. It provides structure for consistent evaluation during security reviews.
Assessment Questions
Will the institution's data be stored on any devices (database servers, file servers, SAN, NAS, etc.) configured with non-RFC 1918/4193 (i.e., publicly routable) IP addresses?
This question is asking whether the institution's data will be stored on devices that have public IP addresses (non-RFC 1918/4193) rather than private IP addresses.
Is the transport of sensitive data encrypted using security protocols/algorithms (e.g., system-to-client)?
This question is asking whether your organization encrypts sensitive data when it's being transmitted between systems (like from your servers to a client's web browser or mobile app).
Is the storage of sensitive data encrypted using security protocols/algorithms (e.g., disk encryption, at-rest, files, and within a running database)?
This question is asking whether your organization encrypts sensitive data when it is stored (at rest) using appropriate security protocols or algorithms. Encryption at rest means that data is encrypted when it is stored on disk, in databases, or in other storage systems, as opposed to when it is being transmitted or actively processed.
Do all cryptographic modules in use in your solution conform to the Federal Information Processing Standards (FIPS PUB 140-2 or 140-3)?
This question is asking whether all cryptographic modules (software or hardware components that implement cryptographic functions like encryption, decryption, digital signatures, etc.) used in your solution comply with Federal Information Processing Standards (FIPS) Publication 140-2 or 140-3.
Will the institution's data be available within the system for a period of time at the completion of this contract?
This question is asking whether the institution's data will remain accessible within the vendor's system for some period after the contract ends. This is important for several reasons:
Are ownership rights to all data, inputs, outputs, and metadata retained even through a provider acquisition or bankruptcy event?
This question is asking whether your organization maintains ownership rights to all data (including raw data, processed data, and metadata) even if your cloud/service provider goes through a major business change like being acquired by another company or declaring bankruptcy.
Do backups containing the institution's data ever leave the institution's data zone either physically or via network routing?
This question is asking whether backup copies of the institution's data are ever stored or transmitted outside of the institution's controlled environment (data zone). The 'data zone' refers to the physical and network boundaries where the institution maintains direct control over its data.
Is media used for long-term retention of business data and archival purposes stored in a secure, environmentally protected area?
This question is asking about how your organization handles the physical storage of media containing long-term or archival business data. 'Media' here refers to physical storage devices like backup tapes, external hard drives, optical discs (CDs/DVDs), or other physical storage formats used for data that must be retained for extended periods.
At the completion of this contract, will data be returned to the institution and/or deleted from all your systems and archives?
This question is asking about your data handling procedures at the end of a contract with an educational institution. Specifically, it wants to know what happens to the institution's data when your business relationship ends.
Can the institution extract a full or partial backup of data?
This question is asking whether your organization (the vendor) provides capabilities for the institution (the customer) to extract their own data from your system in the form of backups. This is important for several reasons:
Do current backups include all operating system software, utilities, security software, application software, and data files necessary for recovery?
This question is asking whether your organization's backup strategy is comprehensive enough to enable a full system recovery in case of a disaster or significant data loss event. Specifically, it's asking if your backups include ALL of the following components:
Are you performing off-site backups (i.e., digitally moved off site)?
This question is asking whether your organization creates backup copies of data and stores them at a different physical location than your primary systems. 'Off-site backups' means that backup data is transferred (usually digitally) to a separate geographical location from where your primary systems operate.
Are physical backups taken off-site (i.e., physically moved off site)?
This question is asking whether your organization physically transports backup media (like tapes, hard drives, or other storage devices containing backup data) to a different location than where your primary systems operate.
Are data backups encrypted?
This question is asking whether your organization encrypts the data backups it creates. Data backups are copies of important information stored for recovery purposes in case the original data is lost, corrupted, or compromised.
Do you have a media handling process that is documented and currently implemented that meets established business needs and regulatory requirements, including end-of-life, repurposing, and data-sanitization procedures?
This question is asking whether your organization has a formal, documented process for handling media (such as hard drives, USB drives, backup tapes, etc.) throughout its lifecycle. Media handling includes how you manage, store, transport, and eventually dispose of storage media that contains data.
Does the process described in DATA-15 adhere to DoD 5220.22-M and/or NIST SP 800-88 standards?
This question is asking whether your data sanitization process (previously described in DATA-15) follows specific government and industry standards for secure data destruction.
Does your staff (or third party) have access to institutional data (e.g., financial, PHI, or other sensitive information) through any means?
This question is asking whether your employees or any third-party contractors can access sensitive institutional data belonging to the client organization. Institutional data typically includes personally identifiable information (PII), protected health information (PHI), financial records, student records, research data, or other confidential information.
Do you have a documented and currently implemented strategy for securing employee workstations when they work remotely (i.e., not in a trusted computing environment)?
This question is asking whether your organization has a formal, documented policy and active implementation for securing employee devices when they are used outside of your controlled office environment.
Does the environment provide for dedicated single-tenant capabilities? If not, describe how your solution or environment separates data from different customers (e.g., logically, physically, single tenancy, multi-tenancy).
This question is asking about how your environment or solution handles the separation of customer data in your infrastructure.
Are ownership rights to all data, inputs, outputs, and metadata retained by the institution?
This question is asking whether your institution maintains legal ownership of all data that enters, exists within, or is generated by the vendor's system. Specifically:
In the event of imminent bankruptcy, closing of business, or retirement of service, will you provide 90 days for customers to get their data out of the system and migrate applications?
This question is asking about your organization's data exit strategy in case of business closure or service termination. It specifically wants to know if you will provide customers with a 90-day grace period to retrieve their data and migrate any applications before the service becomes unavailable.
Are involatile backup copies made according to predefined schedules and securely stored and protected?
This question is asking about your backup strategy, specifically focusing on 'involatile' backups - meaning backups that are stored on persistent media that retains data even when power is removed (like tape, hard drives, or cloud storage) as opposed to volatile memory (like RAM).
Do you have a cryptographic key management process (generation, exchange, storage, safeguards, use, vetting, and replacement) that is documented and currently implemented, for all system components (e.g., database, system, web, etc.)?
This question is asking whether your organization has a formal, documented process for managing cryptographic keys throughout their entire lifecycle. Cryptographic keys are the secret values used in encryption algorithms to secure data. The question specifically wants to know if you have processes for:
ResponseHub is the product I wish I had when I was a CTO
Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.
As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!
I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.
