Educause Security Discussion mailing list archives
Re: HECVAT Users List
From: Josh Callahan <josh.callahan () HUMBOLDT EDU>
Date: Thu, 22 Feb 2018 16:49:33 -0800
Here in the CSU we are working to build a consistent process around security reviews of vendors and contracts across our campuses. We are adopting the HECVAT as the standard document we will be asking for from all vendors for many of the same reasons that have been listed here. We went with the full rather than the lite version, because we are only using this process for vendors who are storing or processing our protected data and there are questions in the full versions we need answered to assess the risk. Additionally, David Zeichick, a member of our team from Chico has been working on a scoring tool that will take all of the yes/no answers from the HECVAT which we've prioritized as high risk and generate a common score report that we can then share across to other campuses in our system. We are willing to share that tool back to the group if others find it helpful. -Josh On Thu, Feb 22, 2018 at 11:25 AM, Ronald King <ronald.king () morgan edu> wrote:
Morgan State has been using it since late last year with mixed results from vendors. Of those that have completed it, non have allowed it to be shared. This listing is necessary in my opinion. I could have used it with Tableau some time ago as they refused to complete it. We use the full version which usually spurs additional questions and a back and forth dialogue. This, to me, is one of the great benefits. A particular vendor we reviewed looked great but was hiring a third party for their SOC. So, it gave us the info and communication channel to dig deeper and ask specific questions around what the 3rd party had access to. The idea of incorporating it into the procurement process is a great idea and will be pushing for it here. Ron *Ronald A. King, CISSP* Chief Information Security Officer Morgan State University Office: (443) 885-3372 1700 E. Cold Spring Ln <https://maps.google.com/?q=1700+E.+Cold+Spring+Ln&entry=gmail&source=g>. Email: ronald.king () morgan edu Baltimore, MD 21251 URL: http://www.morgan.edu *Growing the future ... Leading the world* <http://www.morgan.edu/Documents/ABOUT/StrategicPlan/StrategicPlan2011-21_Final.pdf> On Thu, Feb 22, 2018 at 12:15 PM, Alan Bowen <abowen () fandm edu> wrote:Modified HECVAT lite, but we’ll accept the non-modified version. -Alan On Feb 21, 2018, at 8:46 PM, Ken Connelly <ken.connelly () uni edu> wrote: In general, are you (collective you, not just Mark) using the full-blown HECVAT or the HECVAT Lite? - ken On 2/21/18 4:29 PM, Mark Dieterich wrote: We've been telling vendors that EDU customers are adopting this, but haven't had a sense of how widespread the adoption has been. I got the green light have Brown listed, so we will be adding our name to the list. When this first came about, there was discussion on developing a sharing platform where completed HECVATS or the fact that a vendor has filled out a HECVAT, depending on their wishes, could be listed. Are there any developments with this? I think we actually have one vendor who indicated we could share and a few that gave us permission to list them, it would be great if we could actually do something with these. Thanks, Mark On Wed, Feb 21, 2018 at 1:20 PM, Allen, Jon <Jon_Allen () baylor edu <mailto:Jon_Allen () baylor edu <Jon_Allen () baylor edu>>> wrote: Hello! The 2019 Higher Education Cloud Vendor Assessment Tool (HECVAT) working group is devoting effort to getting the word out about institutional HECVAT adoption. We want to create a list of institutions that are using the HECVAT to publish on the HECVAT web page (https://library.educause.edu/resources/2016/10/higher-ed ucation-cloud-vendor-assessment-tool<https://na01.safelinks. protection.outlook.com/?url=https%3A%2F%2Fwww.google.com% 2Furl%3Fq%3Dhttps%3A%2F%2Flibrary.educause.edu%2Fresou rces%2F2016%2F10%2Fhigher-education-cloud-vendor- assessment-tool%26sa%3DD%26ust%3D1519160086542000%26usg %3DAFQjCNHtq6sVc7M6Yijyrp-FyIIhP7-g3A&data=01%7C01%7Cjon_ allen%40baylor.edu%7C2f31c9f2ae8048feb12908d5789c6998%7C22d2 fb35256a459bbcf4dc23d42dc0a4%7C1&sdata=xWyOTuLEnGCCgx273bRa eoOn%2FF5jzLxFimJ28wRO8BQ%3D&reserved=0> <https://urldefense.proofpoint.com/v2/url?u=https-3A__library.educause.edu_resources_2016_10_higher-2Deducation-2Dcloud-2Dvendor-2Dassessment-2Dtool-253Chttps-3A__na01.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fwww.google.com-252Furl-253Fq-253Dhttps-253A-252F-252Flibrary.educause.edu-252Fresources-252F2016-252F10-252Fhigher-2Deducation-2Dcloud-2Dvendor-2Dassessment-2Dtool-2526sa-253DD-2526ust-253D1519160086542000-2526usg-253DAFQjCNHtq6sVc7M6Yijyrp-2DFyIIhP7-2Dg3A-26data-3D01-257C01-257Cjon-5Fallen-2540baylor.edu-257C2f31c9f2ae8048feb12908d5789c6998-257C22d2fb35256a459bbcf4dc23d42dc0a4-257C1-26sdata-3DxWyOTuLEnGCCgx273bRaeoOn-252FF5jzLxFimJ28wRO8BQ-253D-26reserved-3D0-253E&d=DwMFaQ&c=0CCt47_3RbNABITTvFzZbA&r=hF9utfnfkGfY793x81M4Gr0nwxs9KYTZ6TUPUh4wPjs&m=4tXVq601XmhDniXOW1kuWpurbC9f9a6M-yc_WadTw3c&s=zjc34Ie1f_8GKw64KYviImC5uDxr-IqoIItfvnEtpcQ&e=> ). The purpose of this list is two-fold: First, to demonstrate HECVAT adoption at higher education institutions (so that vendors will want to participate in completing a HECVAT). Second, to provide a list of HECVAT references (so that institutions can contact their peers with HECVAT questions). If you are interested in being listed on the webpage in this manner, please fill out this form. Institutional names only (not contact information) will be listed on the webpage. If you would like your institution to be listed in this way, please complete our form: https://goo.gl/forms/BJlson23HVDMy1Q63<https://na01. safelinks.protection.outlook.com/?url=https%3A%2F%2Fgoo.gl% 2Fforms%2FBJlson23HVDMy1Q63&data=01%7C01%7Cjon_allen% 40baylor.edu%7C2f31c9f2ae8048feb12908d5789c6998%7C22d2fb3525 6a459bbcf4dc23d42dc0a4%7C1&sdata=BjbsQBbg%2FPZVtOhlWIHMTX XOSHq1TTzBXwqVNMfqoQk%3D&reserved=0> <https://urldefense.proofpoint.com/v2/url?u=https-3A__goo.gl_forms_BJlson23HVDMy1Q63-253Chttps-3A__na01.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fgoo.gl-252Fforms-252FBJlson23HVDMy1Q63-26data-3D01-257C01-257Cjon-5Fallen-2540baylor.edu-257C2f31c9f2ae8048feb12908d5789c6998-257C22d2fb35256a459bbcf4dc23d42dc0a4-257C1-26sdata-3DBjbsQBbg-252FPZVtOhlWIHMTXXOSHq1TTzBXwqVNMfqoQk-253D-26reserved-3D0-253E&d=DwMFaQ&c=0CCt47_3RbNABITTvFzZbA&r=hF9utfnfkGfY793x81M4Gr0nwxs9KYTZ6TUPUh4wPjs&m=4tXVq601XmhDniXOW1kuWpurbC9f9a6M-yc_WadTw3c&s=DvnEBRodrVDtQGZrGMLrnsgs2_4m50e6bzCGwFg0JKM&e=> Thanks,* * * * *_________________________________* *Jon Allen, CISSP, EnCE * *Assistant Vice President & * *Chief Information Security Officer* *Baylor University * *254.710.4793 <(254)%20710-4793> <tel:%28254%29%20710-4793 <%28254%29%20710-4793>>* * * /Users/jon_allen/Library/Containers/com.microsoft.Outlook /Data/Library/Caches/Signatures/signature_1325000890 / //www.baylor.edu/bearaware <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.baylor.edu_bearaware&d=DwMFaQ&c=0CCt47_3RbNABITTvFzZbA&r=hF9utfnfkGfY793x81M4Gr0nwxs9KYTZ6TUPUh4wPjs&m=4tXVq601XmhDniXOW1kuWpurbC9f9a6M-yc_WadTw3c&s=raX79DvhhpZzTWWKV60qOWbAuWgNCaIipOF5LTBkZFU&e=> /<http://www.baylor.edu/bearaware <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.baylor.edu_bearaware&d=DwMFaQ&c=0CCt47_3RbNABITTvFzZbA&r=hF9utfnfkGfY793x81M4Gr0nwxs9KYTZ6TUPUh4wPjs&m=4tXVq601XmhDniXOW1kuWpurbC9f9a6M-yc_WadTw3c&s=raX79DvhhpZzTWWKV60qOWbAuWgNCaIipOF5LTBkZFU&e=>-- - Ken ================================================================= Ken Connelly Director, Information Security Information Security Officer University of Northern Iowa email: Ken.Connelly () uni edu p: (319) 273-5850 f: (319) 273-7373 Any request to divulge your UNI password via e-mail is fraudulent!
-- ------------------------------------------------- Josh Callahan Information Security Officer and CTO ITS :: Humboldt State University 1 Harpst St. Arcata CA 95521 707.826.3815
Current thread:
- Re: HECVAT Users List, (continued)
- Re: HECVAT Users List Sue McGlashan (Feb 22)
- Re: HECVAT Users List Gregg, Christopher S. (Feb 22)
- Re: HECVAT Users List Theresa Rowe (Feb 28)
- Re: HECVAT Users List Penn, Blake C (Mar 01)
- Re: HECVAT Users List Theresa Rowe (Mar 01)
- Re: HECVAT Users List Ronald King (Mar 12)
- Re: HECVAT Users List Steven W Andariese (Mar 20)
- Re: HECVAT Users List Hart, Michael (Mar 01)
- Re: HECVAT Users List Alan Bowen (Feb 22)
- Re: HECVAT Users List Ronald King (Feb 22)
- Re: HECVAT Users List Josh Callahan (Feb 22)
- Re: HECVAT Users List Steven W Andariese (Feb 22)
- Re: HECVAT Users List Mark Dieterich (Feb 23)
- Re: HECVAT Users List Laura Raderman (Feb 26)
- Re: HECVAT Users List Washburn, Ian (Feb 27)
- Re: HECVAT Users List Tom Horton (Feb 27)