Educause Security Discussion mailing list archives
Re: HECVAT Security Assessment Question
From: Ruth Ginzberg <rginzberg () UWSA EDU>
Date: Thu, 13 Jul 2017 15:48:40 +0000
We are looking at incorporating the HECVAT in our Enterprise RFPs as well. I think when adoption of such instruments is first ramping up, it's important to consider the vendor's relative investment in responding RFPs and bids, compared to the anticipated revenue that it projects it will get from the customer if it wins. It costs money (time, resources) for vendors to fill these things out. I'm not a vendor, but (just guessing...) I imagine that they need to pull in at very least their CISO, legal counsel, technical resources, management resources, and probably other individuals who are not typically part of their run-of-the-mill RFP response team in order to complete such detailed instruments and gain the necessary approvals to make the info public. My thought is that a good place to start is likely with very high dollar value contracts. I.e., start with those worth > (e.g.) $1m (which might mean starting with mostly large institutions or systems, or purchasing cooperatives that bring in those kinds of dollars as a result of any given award). I'm guessing that vendors would be more willing to invest more of their resources into a potentially more lucrative contract than they would in one that may only net the vendor a few dozen $k. I'm also guessing that as vendors of smaller $ value contracts start to see the same request more and more frequently, they will bump up against some "tipping point" when they acknowledge that this is being requested so frequently that they probably ought to invest their resources into completing it so it doesn't keep being an issue for every possible sale. Just a thought..... Ruth Ginzberg, CISSP, CTPS Sr. I.T. Procurement Specialist University of Wisconsin System 608-890-3961 -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Rob Milman Sent: Thursday, July 13, 2017 10:30 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] HECVAT Security Assessment Question Hi everyone, I've been watching this thread with interest. We made the decision to begin using the HECVAT this spring to replace our SaaS assessment that was just not detailed enough. I current am working on 5 different engagements with cloud service providers and 3 of them have outright refused to complete the HECVAT. The other 2 are being evaluated and they haven't got back to me yet. Some of the vendors that have rejected the HECVAT have provided their own documentation, but I can find no evidence of a third-party assessment. We have gone as far as telling the institution that we cannot support the cloud vendor as a risk assessment was not completed, the institution has gone ahead and signed contracts with these vendors anyway, without our acceptance. Has anyone else had vendors refuse to complete the HECVAT? What has been the result? Is there a lighter version of the HECVAT that you would be willing to share? Our institution is beginning to question the hard line we have taken with regards to cloud vendors, we may have to stand down. Thanks, Rob -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of José A. Domínguez Sent: Monday, July 10, 2017 4:45 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] HECVAT Security Assessment Question Hello Sue. Your approach seems similar to what I am trying to do at UO. I am engaging the office of Purchasing and Contracting Services and working on adopting HECVAT as part of their evaluation criteria for vendor selection. That way it's part of what the vendors need to do if they want our business and it's part of what departments need to look for when engaging businesses. The question is agreeing on what kind of cloud service solution requires what level of evaluation. I'll let you know how successful this approach is. José. On 7/7/17 5:14 AM, Sue McGlashan wrote:
Hi Mark You derailed the conversation exactly into what I was talking about yesterday within our team - speediness vs effectiveness. We need to be both effective and efficient, but effective does take time. Please see more below, and thank you for opening the conversation. > At Brown, we are trying to move towards adopting HECVAT/HECVAT Lite for all vendor assessments as well. So far, we haven’t run into the IBM scenario yet and we had our first instance of a vendor (Workfront) who had already seen it and turned it around almost instantly, thanks for whomever forged the way for us! > If I could derail this conversation slightly, I’d be really interested in learning what your staffing to support vendor assessments looks like. We seem to be continuously trying to play catch up with assessments Yes, we play a game of catch up all of the time, and any delayed projects seem to arrive in the middle of a high volume of projects, not when we had planned time to complete them … we all know this story - and I am sure you all also have internal projects, and you probably also need to look at both privacy and security. > and it’s taking way more time than the cycles we have allotted. A vast majority of our time seems to be tied up in chasing down information and getting people to actually respond! Agreed about the time, and to make it worse, sometimes the response is poor, so although a questionnaire is provided, it is filled in by marketing, or else the vendor has a weak security team - i.e. we cannot use it as is. Solution? - Please let me know if you have other suggestions. I am adjusting our process - we need a better intake, so that as vendor responses comes in, we quickly review the supplied documentation, and immediately contact the vendor if the information is inadequate. This should reduce the overall time per project, but it will interrupt current projects. I am hoping for a longer-term win. > Although in some cases, wading through the reams of documentation from a vendor can take significant time as well. At present, our team of two-part time people (very part time on paper for at least one of these anyways) seems to be consistently trying to do contract reviews and security assessments on just North of 20 contracts concurrently. I’m trying to figure out if we are just hugely inefficient, we are attempting to be too detailed in our reviews, or we are truly understaffed. Are we the only ones in this situation? Anyone have a better model? > Mark Overall, it takes time! I am looking at how we can more efficiently complete an assessment, but I do not want to change to a check box approach since we have discovered some concerns that such an approach would not have. However, when I asked the team to be more efficient, that was interpreted as rushing the work, resulting in the need to re-review some of the assessment. No, you are not the only ones in this situation. If we decide an assessment must be completed, we should be thorough. Yes, I think if we are to do all of the assessments, we will need more staff. (but e.g. workfront - hopefully in the longer term we will be able to share the results of our security reports/assessments, so we are also not each individually reviewing each vendor). But could we triage better? Probably. We are working towards a self-assessment for some smaller internal applications, followed by providing an application vulnerability scan, and random full assessments. This idea evolved from listening to talks at the Educause conference. Thanks Sue McGlashan
Current thread:
- Re: HECVAT Security Assessment Question Velislav K Pavlov (Jul 06)
- <Possible follow-ups>
- Re: HECVAT Security Assessment Question Sue McGlashan (Jul 06)
- Re: HECVAT Security Assessment Question Shelton Waggener (Jul 06)
- Re: HECVAT Security Assessment Question Mark Dieterich (Jul 06)
- Re: HECVAT Security Assessment Question Sue McGlashan (Jul 07)
- Re: HECVAT Security Assessment Question José A. Domínguez (Jul 10)
- Re: HECVAT Security Assessment Question Rob Milman (Jul 13)
- Re: HECVAT Security Assessment Question Joanna Grama (Jul 13)
- Re: HECVAT Security Assessment Question Joel McKenzie (Jul 13)
- Re: HECVAT Security Assessment Question Ruth Ginzberg (Jul 13)
- Re: HECVAT Security Assessment Question Andy Hooper (Jul 14)
- Re: HECVAT Security Assessment Question Sue McGlashan (Jul 14)
- Re: HECVAT Security Assessment Question Rob Milman (Jul 14)
- Re: HECVAT Security Assessment Question Sue McGlashan (Jul 07)
- Re: HECVAT Security Assessment Question Brad Judy (Jul 13)
- Re: HECVAT Security Assessment Question Velislav K Pavlov (Jul 13)
- Re: HECVAT Security Assessment Question Brown,Thomas (Jul 13)
- Re: HECVAT Security Assessment Question Escue, Charles E (Jul 14)
- Re: HECVAT Security Assessment Question Brown,Thomas (Jul 14)
- Re: HECVAT Security Assessment Question Davis, Kevin (Jul 19)
- Re: HECVAT Security Assessment Question Shelton Waggener (Jul 19)