Educause Security Discussion mailing list archives
Re: HECVAT Tool usage
From: Brad Judy <brad.judy () CU EDU>
Date: Wed, 31 May 2017 16:10:50 +0000
While we’re just starting to look at HECVAT specifically, here are some general answers for this type of thing: * Are vendors requested to fill it out during the RFP stage or after selection? * As part of an RFP process – it’s critical to do prior to selection IMO. * Is it used to help make the purchase decision? If so, how is it quantified or scored so that responses can be compared across vendors? * Yes, it’s part of the decision process. Our RFP process requires factors to be quantitative so the topic of security might be given a weight related to other criteria. Additionally, we may identify specific items as true requirements (deal breakers). For example, secure transmission of data (SSL/TLS) might be an absolute requirement. * What if vendors say that information is proprietary and don't answer many of the questions? * This typically only happens with really large vendors (Oracle does this a lot) and it’s a case-by-case decision, largely based on what information that can/will provide. Sometimes it’s simply that they won’t answer custom sets of information, but might provide alternative information about their security (audits, company policies, etc.). Ultimately, it’s a business risk decision, not an information security office decision. Brad Judy Information Security Officer Office of Information Security University of Colorado 1800 Grant Street, Suite 300 Denver, CO 80203 Office: (303) 860-4293 Fax: (303) 860-4302 www.cu.edu<http://www.cu.edu/> [u-logo_fl] From: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of "John R. LaPrad" <jrl () SVSU EDU> Organization: Saginaw Valley State University Reply-To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU> Date: Wednesday, May 31, 2017 at 9:59 AM To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] HECVAT Tool usage We are talking about having cloud vendors fill out this assessment. I am wondering how are institutions using this document. * Are vendors requested to fill it out during the RFP stage or after selection? * Is it used to help make the purchase decision? If so, how is it quantified or scored so that responses can be compared across vendors? * What if vendors say that information is proprietary and don't answer many of the questions? Thank you for the input. John LaPrad - CISSP, CIHE Information Systems Security Manager Saginaw Valley State University 7400 Bay Rd. University Center, MI Phone: 989-964-7134 jrl () svsu edu<mailto:jrl () svsu edu>
Current thread:
- HECVAT Tool usage John R. LaPrad (May 31)
- Re: HECVAT Tool usage Brad Judy (May 31)
- Re: HECVAT Tool usage Rob Milman (May 31)
- Re: HECVAT Tool usage Ruth Ginzberg (May 31)
- Re: HECVAT Tool usage Robert Smith (May 31)
- Re: HECVAT Tool usage Escue, Charles E (May 31)
- Re: HECVAT Tool usage Flynn, Gary - flynngn (May 31)
- Re: HECVAT Tool usage Sue McGlashan (May 31)
- Re: HECVAT Tool usage Alex Jalso (May 31)
- Re: HECVAT Tool usage John R. LaPrad (Jun 12)