FAQ for vendors
Please have the following documentation from vendors for new IT investment submissions:
For Security Review
Required documentation:
- HECVAT version 3 preferred
- SOC 2 Type 2 Report if available
Recommended documentation (if available):
- Basic security policy
- Disaster Recovery Plan
- Business Continuity Plan
- Change Management Process
For credit card/payment processor:
- PCI SAQ
- PCI AoC document from vendor they are using
For Accessibility Review
- Product or service is WCAG 2.0, AA compliant
Required documentation:
- Voluntary Product Accessibility Template (VPAT) - newest version