Educause Security Discussion mailing list archives

Re: HECVAT Security Assessment Question

From: Shelton Waggener <swaggener () INTERNET2 EDU>
Date: Thu, 6 Jul 2017 15:01:14 +0000

At Internet2, it is our intention to require HECVAT from every provider, without exception, if they want to move 
forward with full service validation for participation in our national cloud service offering efforts (NET+). Since we 
have about 1600 campuses now eligible to subscribe to those services that should help push the broader provider 
community in the direction. In the case where IBM (or similar) says “We have tons of documentation that covers this 
already” we would likely have to develop a mapping activity so we can still use HECVAT as the master document, even if 
in some cases it is functions as an Index.  I will be working with Nick Lewis and the Educause team on that process so 
we can make all those documents available to all interested campuses.

For the stuff that’s under NDA, we already have a process to put those materials in a view only credential walled 
environment so might be good to test that out with a company like IBM on the process for access.

Shel

Shelton Waggener
Senior Vice President
Internet2

mailto: <swaggener () internet2 edu<mailto:swaggener () internet2 edu>>
office: 510-858-0881
mobile: 510-710-3360
twitter: shelwaggener
6001 Shellmound Street, Suite 850
Emeryville, CA 94608

Assistant: Elaine Alejo
mailto: <ealejo () internet2 edu<mailto:ealejo () internet2 edu>>
office: 510-858-0881





From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Sue McGlashan 
<sue.mcglashan () UTORONTO CA>
Reply-To: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
Date: Thursday, July 6, 2017 at 7:27 AM
To: "SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] HECVAT Security Assessment Question

IBM (one of their solutions) politely refused to complete the HECVAT, even though we told them this would be one 
document for many institutions. (See end)

So, I agree with the longer-term goal of a central repository that we can point vendors to, and they can use to market. 
 A central repository was discussed at the Educause conference - if I remember correctly, the comment was as yet there 
is no solution, mostly because of resources.
It is a pity that the default in the HECVAT is to not allow sharing of the HECVAT with other institutions.  Vendors 
should notice, and change to not share, if they do not want to share. (I expect there was lots of discussion about the 
default).

For completeness, IBM linked me to documents they already had (many). I also found their CSA CAIQ, so between their 
standard documentation and the CAIQ, and the ability to request some documentation under NDA, I have more than enough 
material.  In other words, I understood their reluctance.
It is the smaller companies in the education space that I think will particularly benefit from a one-document-for-many 
strategy. Many do not have standard documentation.

--
Sue McGlashan,
Information Security Architect, ISEA
University of Toronto
416-946-3260



From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Velislav K 
Pavlov <VelislavPavlov () FERRIS EDU>
Reply-To: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
Date: Thursday, July 6, 2017 at 9:05 AM
To: "SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] HECVAT Security Assessment Question

It would be convenient to have a centralized repository. We were using CSA STAR to assess hosted solutions. The benefit 
of CSA STAR is the availability of the attestation documentation so other institutions won’t have to reinvent the wheel 
and wait for request & response for information. One example is SalesForce 
https://cloudsecurityalliance.org/star-registrant/salesforce-com-inc/. The centralized repository also helps with 
version control and provides dates/times for when the attestation was last submitted/reviewed. Our University is 
supportive of HECVAT as we recognize the tailored approach to education and the benefit of information sharing within 
our community.

What we found out is that the assessment regardless if it’s CSA CCM/CAIQ or HECVAT, takes time and it’s difficult to 
convince the vendor (cybersecurity team) to go through the hundreds of questions. Where we found some success is the 
fact that once the vendor fills out the document it can benefit other institutions. It becomes marketing material for 
the vendor to acquire new business by demonstrating that they have adequate security controls to protect client data at 
rest and in transit.


Vel Pavlov | Coordinator, IT Security
M.Sc. ISM, CISSP, C|HFI, C|EH, C)PTE,
Security+, CNA, MPCS, ITILv3F, A+
[cid:image001.png@01D2F62E.0B3ECFC0]


From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Joanna 
Grama
Sent: Wednesday, June 28, 2017 10:03 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] HECVAT Security Assessment Question

**Notice** This message is from a sender outside of the Ferris Office 365 mail system. Use caution when clicking links 
or opening attachments. For assistance determining if this email is safe, please contact TAC.
________________________________
Good morning list mates:

We have received an email from a member looking to see if:

  1.  If any institution has a completed HECVAT for Microsoft Office 365/OneDrive, Box and ServiceNow
  2.  If the vendor’s responses for that completed HECVAT allowed sharing with other higher education institutions

If the answers to the above questions are “yes,” could you contact me off list please?  We have a member that would 
like to speak with you about your experiences.

Kind regards,
Joanna

Joanna Grama, JD, CISSP, CRISC, CIPT
Director of Cybersecurity and IT GRC Programs

EDUCAUSE
Uncommon Thinking for the Common Good
282 Century Place, Suite 5000, Louisville, CO 80027
direct: 720.406.6769 | cell: 720.507.5983 | jgrama () educause edu<mailto:jgrama () educause edu>

Attend the EDUCAUSE Metrics 
Mania!<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fevents.educause.edu%2Fwebinar%2F2017%2Fmetrics-mania-using-metrics-to-bolster-your-higher-education-information-security-program&data=01%7C01%7CVelislavPavlov%40ferris.edu%7C30cc3ec63c244eac064b08d4be2e724e%7C64b0362e85c04e95a4ce5651d96cb739%7C1&sdata=WGpFHCp%2ByjPDND5DpgsNJ%2Bz4HixE3bhE5x6hcgeLnwI%3D&reserved=0>
 online seminar, August 9, 2017.

Current thread:

Re: HECVAT Security Assessment Question Velislav K Pavlov (Jul 06)
- <Possible follow-ups>
- Re: HECVAT Security Assessment Question Sue McGlashan (Jul 06)
  - Re: HECVAT Security Assessment Question Shelton Waggener (Jul 06)
- Re: HECVAT Security Assessment Question Mark Dieterich (Jul 06)
  - Re: HECVAT Security Assessment Question Sue McGlashan (Jul 07)
    - Re: HECVAT Security Assessment Question José A. Domínguez (Jul 10)
    - Re: HECVAT Security Assessment Question Rob Milman (Jul 13)
    - Re: HECVAT Security Assessment Question Joanna Grama (Jul 13)
    - Re: HECVAT Security Assessment Question Joel McKenzie (Jul 13)
    - Re: HECVAT Security Assessment Question Ruth Ginzberg (Jul 13)
    - Re: HECVAT Security Assessment Question Andy Hooper (Jul 14)
    - Re: HECVAT Security Assessment Question Sue McGlashan (Jul 14)
    - Re: HECVAT Security Assessment Question Rob Milman (Jul 14)

(Thread continues...)