FAQ for vendors

Please have the following documentation from vendors for new IT investment submissions:

For Security Review

Required documentation:

  • HECVAT version 3 preferred
  • SOC 2 Type 2 Report if available

Recommended documentation (if available):

  • Basic security policy
  • Disaster Recovery Plan
  • Business Continuity Plan
  • Change Management Process

For credit card/payment processor:

  • PCI SAQ
  • PCI AoC document from vendor they are using

For Accessibility Review

  • Product or service is WCAG 2.0, AA compliant

Required documentation:

  • Voluntary Product Accessibility Template (VPAT) - newest version