Educause Security Discussion mailing list archives

Re: HECVAT Tool usage

From: Ruth Ginzberg <rginzberg () UWSA EDU>
Date: Wed, 31 May 2017 16:14:36 +0000

Hi, I.T. Procurement Person here…

I’d recommend having them fill it out as part of an RFP response.  For one thing, vendors may have different teams 
responding to your questions at different times.  If you make it part of the RFP response, then their RFP Response Team 
will be filling it out.  If you ask them to fill it out after they are selected, they may only have a smaller post-sale 
customer satisfaction team (or individual) available to fill it out, and you won’t have the same leverage to incent 
them to do it.

Also, you may want to use the responses to help determine whether or not a cloud provider has sufficient security for 
your institution’s comfort level.

If they say the info is proprietary offer to sign an NDA and to limit the number of people in your organization who 
will have access to the info, but tell them that if they want to earn your business you need “enough” information to be 
able to evaluate their security posture.  Be willing to negotiate over what they actually disclose to you.  If there 
are certain parts of their security processes that they don’t want to disclose to anyone (and that is understandable) 
take another look at why you are asking that question and see if you couldn’t agree to some other less sensitive piece 
of info from the vendor that would answer the same question to your satisfaction.


Ruth Ginzberg, CISSP, CTPS
Sr. I.T. Procurement Specialist
University of Wisconsin System
608-890-3961

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of John R. 
LaPrad
Sent: Wednesday, May 31, 2017 10:59 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] HECVAT Tool usage


We are talking about having cloud vendors fill out this assessment.  I am wondering how are institutions using this 
document.

  *   Are vendors requested to fill it out during the RFP stage or after selection?
  *    Is it used to help make the purchase decision? If so, how is it quantified or scored so that responses can be 
compared across vendors?
  *   What if vendors say that information is proprietary and don't answer many of the questions?

Thank you for the input.
John LaPrad - CISSP, CIHE
Information Systems Security Manager
Saginaw Valley State University
7400 Bay Rd. University Center, MI
Phone: 989-964-7134
jrl () svsu edu<mailto:jrl () svsu edu>

Current thread:

HECVAT Tool usage John R. LaPrad (May 31)
- Re: HECVAT Tool usage Brad Judy (May 31)
- Re: HECVAT Tool usage Rob Milman (May 31)
- Re: HECVAT Tool usage Ruth Ginzberg (May 31)
- Re: HECVAT Tool usage Robert Smith (May 31)
- Re: HECVAT Tool usage Escue, Charles E (May 31)
- Re: HECVAT Tool usage Flynn, Gary - flynngn (May 31)
- Re: HECVAT Tool usage Sue McGlashan (May 31)
- Re: HECVAT Tool usage Alex Jalso (May 31)
- Re: HECVAT Tool usage John R. LaPrad (Jun 12)