Educause Security Discussion mailing list archives
Re: HECVAT Tool usage
From: Ruth Ginzberg <rginzberg () UWSA EDU>
Date: Wed, 31 May 2017 16:14:36 +0000
Hi, I.T. Procurement Person here… I’d recommend having them fill it out as part of an RFP response. For one thing, vendors may have different teams responding to your questions at different times. If you make it part of the RFP response, then their RFP Response Team will be filling it out. If you ask them to fill it out after they are selected, they may only have a smaller post-sale customer satisfaction team (or individual) available to fill it out, and you won’t have the same leverage to incent them to do it. Also, you may want to use the responses to help determine whether or not a cloud provider has sufficient security for your institution’s comfort level. If they say the info is proprietary offer to sign an NDA and to limit the number of people in your organization who will have access to the info, but tell them that if they want to earn your business you need “enough” information to be able to evaluate their security posture. Be willing to negotiate over what they actually disclose to you. If there are certain parts of their security processes that they don’t want to disclose to anyone (and that is understandable) take another look at why you are asking that question and see if you couldn’t agree to some other less sensitive piece of info from the vendor that would answer the same question to your satisfaction. Ruth Ginzberg, CISSP, CTPS Sr. I.T. Procurement Specialist University of Wisconsin System 608-890-3961 From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of John R. LaPrad Sent: Wednesday, May 31, 2017 10:59 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] HECVAT Tool usage We are talking about having cloud vendors fill out this assessment. I am wondering how are institutions using this document. * Are vendors requested to fill it out during the RFP stage or after selection? * Is it used to help make the purchase decision? If so, how is it quantified or scored so that responses can be compared across vendors? * What if vendors say that information is proprietary and don't answer many of the questions? Thank you for the input. John LaPrad - CISSP, CIHE Information Systems Security Manager Saginaw Valley State University 7400 Bay Rd. University Center, MI Phone: 989-964-7134 jrl () svsu edu<mailto:jrl () svsu edu>
Current thread:
- HECVAT Tool usage John R. LaPrad (May 31)
- Re: HECVAT Tool usage Brad Judy (May 31)
- Re: HECVAT Tool usage Rob Milman (May 31)
- Re: HECVAT Tool usage Ruth Ginzberg (May 31)
- Re: HECVAT Tool usage Robert Smith (May 31)
- Re: HECVAT Tool usage Escue, Charles E (May 31)
- Re: HECVAT Tool usage Flynn, Gary - flynngn (May 31)
- Re: HECVAT Tool usage Sue McGlashan (May 31)
- Re: HECVAT Tool usage Alex Jalso (May 31)
- Re: HECVAT Tool usage John R. LaPrad (Jun 12)