Educause Security Discussion mailing list archives
Re: HECVAT Users List
From: Sue McGlashan <sue.mcglashan () UTORONTO CA>
Date: Thu, 22 Feb 2018 14:05:02 +0000
Hi Thanks Jon, for the first email. We have been promoting the use of the HECVAT since we first heard about it, and I think three vendors have provided the HECVAT - more have expressed interest in using it in the future. At least one of those had the HECVAT already prepared - but no-one has agreed to share directly. Hopefully with time, they will see the similarity to the Cloud Security Alliance registry https://cloudsecurityalliance.org/registry - I use results from here as well. A driver for risk assessment at UofT is a Privacy impact assessment, so we have our own questionnaire that has questions relating to privacy, and others similar to the HECVAT. In fact, our privacy director sends project leaders to us. I now include the option to use the HECVAT instead of the security questions directly in our questionnaire, so that others in our decentralized University who might use the internal questionnaire hear about the HECVAT. I did not find the lite version very helpful, but recognize this is more a function of our detailed assessments once we receive the information. Most of the time, we will want the full version, because of the PIA component. However, not every vendor manages personal information. Procurement on this campus works with us, but this is a large decentralized University, so there are gaps. I think we have reached the IT leadership on the other campuses and divisions, and more projects will go through a risk assessment process - their own or through us. Take care -- Sue McGlashan M.Ed. CISSP CCSK ISA, Information Security and Enterprise Architecture Information and Technology Services University of Toronto Phone 416-946-3260 This email communication is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged information. Any use of this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the email and all copies (electronic or otherwise) immediately. From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of "Brian T. Huntley" <bhuntley () CLARKSON EDU> Reply-To: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> Date: Thursday, February 22, 2018 at 6:41 AM To: "SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] HECVAT Users List We started using the HECVAT late in 2017 as well. We've incorporated it into the purchasing process, so a PO cannot be issued until we're satisfied with the responses. This gets us in at the ground floor for new contracts and enables us to insert ourselves in renewals of existing contracts. So far, we've had occasion for three vendors to do it. Based on the type of data we were sharing with them, the Lite version seemed most appropriate. One vendor already had one done, the other two had never heard of it and took a couple of weeks to complete it but didn't really complain about the process. None of them were willing to have their completed HECVAT's nor their willingness to provide a completed HECVAT shared. Brian Brian T. Huntley, CISSP Director of Network Services and Information Security Office of Information Technology Clarkson University 315.268.6723 On Wed, Feb 21, 2018 at 8:46 PM, Ken Connelly <ken.connelly () uni edu<mailto:ken.connelly () uni edu>> wrote: In general, are you (collective you, not just Mark) using the full-blown HECVAT or the HECVAT Lite? - ken On 2/21/18 4:29 PM, Mark Dieterich wrote:
We've been telling vendors that EDU customers are adopting this, but haven't had a sense of how widespread the adoption has been. I got the green light have Brown listed, so we will be adding our name to the list. When this first came about, there was discussion on developing a sharing platform where completed HECVATS or the fact that a vendor has filled out a HECVAT, depending on their wishes, could be listed. Are there any developments with this? I think we actually have one vendor who indicated we could share and a few that gave us permission to list them, it would be great if we could actually do something with these. Thanks, Mark On Wed, Feb 21, 2018 at 1:20 PM, Allen, Jon <Jon_Allen () baylor edu<mailto:Jon_Allen () baylor edu> <mailto:Jon_Allen () baylor edu<mailto:Jon_Allen () baylor edu>>> wrote: Hello! The 2019 Higher Education Cloud Vendor Assessment Tool (HECVAT) working group is devoting effort to getting the word out about institutional HECVAT adoption. We want to create a list of institutions that are using the HECVAT to publish on the HECVAT web page (https://library.educause.edu/resources/2016/10/higher-education-cloud-vendor-assessment-tool<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.google.com%2Furl%3Fq%3Dhttps%3A%2F%2Flibrary.educause.edu%2Fresources%2F2016%2F10%2Fhigher-education-cloud-vendor-assessment-tool%26sa%3DD%26ust%3D1519160086542000%26usg%3DAFQjCNHtq6sVc7M6Yijyrp-FyIIhP7-g3A&data=01%7C01%7Cjon_allen%40baylor.edu%7C2f31c9f2ae8048feb12908d5789c6998%7C22d2fb35256a459bbcf4dc23d42dc0a4%7C1&sdata=xWyOTuLEnGCCgx273bRaeoOn%2FF5jzLxFimJ28wRO8BQ%3D&reserved=0>). The purpose of this list is two-fold: First, to demonstrate HECVAT adoption at higher education institutions (so that vendors will want to participate in completing a HECVAT). Second, to provide a list of HECVAT references (so that institutions can contact their peers with HECVAT questions). If you are interested in being listed on the webpage in this manner, please fill out this form. Institutional names only (not contact information) will be listed on the webpage. If you would like your institution to be listed in this way, please complete our form: https://goo.gl/forms/BJlson23HVDMy1Q63<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgoo.gl%2Fforms%2FBJlson23HVDMy1Q63&data=01%7C01%7Cjon_allen%40baylor.edu%7C2f31c9f2ae8048feb12908d5789c6998%7C22d2fb35256a459bbcf4dc23d42dc0a4%7C1&sdata=BjbsQBbg%2FPZVtOhlWIHMTXXOSHq1TTzBXwqVNMfqoQk%3D&reserved=0> Thanks,* * * * *_________________________________* *Jon Allen, CISSP, EnCE * *Assistant Vice President & * *Chief Information Security Officer* *Baylor University * *254.710.4793 <tel:%28254%29%20710-4793>* * * /Users/jon_allen/Library/Containers/com.microsoft.Outlook/Data/Library/Caches/Signatures/signature_1325000890 / //www.baylor.edu/bearaware/<http://www.baylor.edu/bearaware/><http://www.baylor.edu/bearaware>
-- - Ken ================================================================= Ken Connelly Director, Information Security Information Security Officer University of Northern Iowa email: Ken.Connelly () uni edu<mailto:Ken.Connelly () uni edu> p: (319) 273-5850 f: (319) 273-7373 Any request to divulge your UNI password via e-mail is fraudulent!
Current thread:
- HECVAT Users List Allen, Jon (Feb 21)
- Re: HECVAT Users List Mark Dieterich (Feb 21)
- Re: HECVAT Users List Joanna Grama (Feb 21)
- Re: HECVAT Users List Alan Bowen (Feb 21)
- Re: HECVAT Users List Brown,Thomas (Feb 21)
- Re: HECVAT Users List Ken Connelly (Feb 21)
- Re: HECVAT Users List Brian T. Huntley (Feb 22)
- Re: HECVAT Users List Sue McGlashan (Feb 22)
- Re: HECVAT Users List Gregg, Christopher S. (Feb 22)
- Re: HECVAT Users List Theresa Rowe (Feb 28)
- Re: HECVAT Users List Penn, Blake C (Mar 01)
- Re: HECVAT Users List Theresa Rowe (Mar 01)
- Re: HECVAT Users List Ronald King (Mar 12)
- Re: HECVAT Users List Steven W Andariese (Mar 20)
- Re: HECVAT Users List Joanna Grama (Feb 21)
- Re: HECVAT Users List Mark Dieterich (Feb 21)
- Re: HECVAT Users List Hart, Michael (Mar 01)
- Re: HECVAT Users List Alan Bowen (Feb 22)
- Re: HECVAT Users List Ronald King (Feb 22)
- Re: HECVAT Users List Josh Callahan (Feb 22)