Re: HECVAT Security Assessment Question

[Rob Milman <rob.milman () SAIT CA>]

Hi Andy,

We conduct a Privacy Impact Assessment (PIA) as part of any projects that affect personal data as defined by the 
Freedom of Information and Protection of Privacy Act here in Alberta. I'm not sure if Ontario has similar legislation. 
It is not legislated for public institutions, but our Privacy Officer has asked that we complete them for transparency 
and to show that we have considered the risks. 

Regards,

Rob Milman
Security & Compliance Analyst
Information Systems

Southern Alberta Institute of Technology
EH Crandell Building, GA 214
1301 – 16 Avenue NW, Calgary AB, T2M 0L4

(Office) 403.774.5401  (Cell) 403.606.3173
rob.milman () sait ca


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Andy 
Hooper
Sent: Friday, July 14, 2017 12:16 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] HECVAT Security Assessment Question

For RFPs we do two stages. All bidders complete about twenty fairly easy questions. This gives enough information for a 
sense of the security maturity. Once a preferred bid has been selected, we do more detailed questions during the 
negotiation phase. That could result in adding work items to the contract, or in the worst case, moving on to the next 
preference. Security has very low weight in our RFP scoring, but as long as price isn't weighted too high, then good 
security seems to be generally associated with good function.

HECVAT doesn't have much on privacy. Are people using HECVAT doing something separate for privacy and 
access-to-information aspects?

- Andy Hooper - IT Services - Queen's University -