Educause Security Discussion mailing list archives

Re: HECVAT Tool usage

From: Sue McGlashan <sue.mcglashan () UTORONTO CA>
Date: Wed, 31 May 2017 16:54:09 +0000

Hi

We have had our own questionnaire that we asked vendors to complete.  This was a requirement of the RFP process – i.e. 
if they did not complete the questionnaire, they did not progress further.  We only assess the final chosen vendor. 
Caveats – we have more than one campus, so not all RFPs are requiring this.

We also go through a risk assessment for other vendors, if we are asked, for vendors that do not need to go through a 
RFP process.

We are planning to start using the HECVAT, as we see the value for vendors in not completing a different questionnaire 
for each institution. We will add a separate document to cover parts that are missing from the HECVAT (mostly PIA 
questions based on our requirements), or for questions that are too US centric.

So, the HECVAT will become part of the process.
- and thanks again to the volunteers who put it together

--
Sue McGlashan,
Information Security Architect, ISEA
University of Toronto
416-946-3260



From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of "John R. 
LaPrad" <jrl () SVSU EDU>
Organization: Saginaw Valley State University
Reply-To: "SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU>
Date: Wednesday, May 31, 2017 at 11:59 AM
To: "SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] HECVAT Tool usage


We are talking about having cloud vendors fill out this assessment.  I am wondering how are institutions using this 
document.

  *   Are vendors requested to fill it out during the RFP stage or after selection?
  *    Is it used to help make the purchase decision? If so, how is it quantified or scored so that responses can be 
compared across vendors?
  *   What if vendors say that information is proprietary and don't answer many of the questions?

Thank you for the input.
John LaPrad - CISSP, CIHE
Information Systems Security Manager
Saginaw Valley State University
7400 Bay Rd. University Center, MI
Phone: 989-964-7134
jrl () svsu edu<mailto:jrl () svsu edu>

Current thread:

HECVAT Tool usage John R. LaPrad (May 31)
- Re: HECVAT Tool usage Brad Judy (May 31)
- Re: HECVAT Tool usage Rob Milman (May 31)
- Re: HECVAT Tool usage Ruth Ginzberg (May 31)
- Re: HECVAT Tool usage Robert Smith (May 31)
- Re: HECVAT Tool usage Escue, Charles E (May 31)
- Re: HECVAT Tool usage Flynn, Gary - flynngn (May 31)
- Re: HECVAT Tool usage Sue McGlashan (May 31)
- Re: HECVAT Tool usage Alex Jalso (May 31)
- Re: HECVAT Tool usage John R. LaPrad (Jun 12)