Re: HECVAT Tool usage

[Rob Milman <rob.milman () SAIT CA>]

We use it prior to contract signing. Our institution has a policy in place that requires IS approval prior for any web 
services or applications outside our perimeter.

I have had different levels of success with vendors depending on their maturity level. Most have completed the 
assessment without any issues, others have tried to fake it by not answering questions properly and one replied that 
they were not mature enough to provide us with the service levels that we were requesting. I always check the Cloud 
Security Alliance STAR registry for the vendor in question. That saves a lot of work up front for both parties.

Regards,

Rob Milman

[cid:image004.png@01D18F19.9217E950]

Rob Milman
Security & Compliance Analyst
Information Systems

Southern Alberta Institute of Technology
EH Crandell Building, GA 214
1301 – 16 Avenue NW, Calgary AB, T2M 0L4

(Office) 403.774.5401  (Cell) 403.606.3173
rob.milman () sait ca<mailto:rob.milman () sait ca>





From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of John R. 
LaPrad
Sent: Wednesday, May 31, 2017 9:59 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] HECVAT Tool usage


We are talking about having cloud vendors fill out this assessment.  I am wondering how are institutions using this 
document.

  *   Are vendors requested to fill it out during the RFP stage or after selection?
  *    Is it used to help make the purchase decision? If so, how is it quantified or scored so that responses can be 
compared across vendors?
  *   What if vendors say that information is proprietary and don't answer many of the questions?

Thank you for the input.
John LaPrad - CISSP, CIHE
Information Systems Security Manager
Saginaw Valley State University
7400 Bay Rd. University Center, MI
Phone: 989-964-7134
jrl () svsu edu<mailto:jrl () svsu edu>