If a vendor is unable to provide a HECVAT for cybersecurity review, there are possible alternative security documents that may be acceptable. Depending on the Data Classification level submitted on the Cybersecurity Review form, the alternative documentation may need to be approved by the Chief Information Security Officer (CISO) before being used. Submit the review request with these documents. The security team will contact you for more information and will perform a risk assessment.
For hardware only: If you are purchasing hardware and a vendor will not complete a HECVAT, ask if they will complete and return the UARK Cybersecurity Hardware Review Form.
The UARK Cybersecurity Hardware Review Form is attached to this article in the Attachments section in the column on the right.
Possible alternative documentation options the vendor could provide include:
Note: This list is not exhaustive.
- SOC 2 report
- CAIQ report
- SIG report
- ISO 27001 Certification
- ISO 27034 Certification for desktop software
- Third-party security risk assessment
- Network and infrastructure diagrams
- Security audits and penetration test reports
Alternatively, the vendor may provide a security document or statement that includes as much detailed information as possible on the following sections:
- Security Features & Capabilities: The core security functions of the solution, such as encryption, authentication, access control, data protection, and user privacy.
- Threat Detection & Response: An outline of how the product detects, responds to, and mitigates security threats, including malware, ransomware, and unauthorized access attempts.
- Vulnerability Management: An explanation of the processes the solution employs to identify, assess, and address vulnerabilities, including patch management and system updates.
- Compliance & Standards: Specify how the solution adheres to industry standards and regulations, such as GDPR, HIPAA, ISO 27001, and other relevant security frameworks.
- Integration & Interoperability: Detail how the product integrates with existing IT infrastructure and other security systems, ensuring seamless compatibility with existing hardware, software, and network environments.
- Monitoring & Reporting: Describe the monitoring capabilities, logging features, and reporting functionalities available to track and audit security events and activities.
- Scalability & Performance: Provide information on how the solution can scale to meet the needs of growing organizations while maintaining performance and security.
- Support & Maintenance: Outline the support services, updates, and maintenance processes, including response times, availability, and long-term reliability.
If you have questions or need advice, you can email the Contracts Team at contract@uark.edu.