Full VRA vs. Unit-Led VRA
After the VRA request and the ISO Context Questionnaire have been completed, the ISO will work with the UISL to determine if the VRA can be completed by the department UISL directly. If a Unit-Led VRA is appropriate, the UISL will need the following information from the requesting department:
- A completed HECVAT Lite Questionnaire.
- Any other security documentation provided by the vendor, e.g.
- Proof of security reviews and industry certifications (SOC1, SOC2, ISO 27001)
- Evidence of applicable policies and procedures supporting the answers in the HECVAT
- Third-party attestation certifying data security practices and compliance
- Non-disclosure agreement (campus signing authority is Supply Chain Management)