Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: HECVAT Users List

From: Steven W Andariese <Steve.Andariese () NAU EDU>
Date: Tue, 20 Mar 2018 15:24:19 +0000
Resurrecting this a bit.  We’re looking to come up with a set of questions for the RFP process that the vendor would 
not consider proprietary or have issue with if they did become public.  I could make some educated guesses but it seems 
as though it might be somewhat trial and error.

Has anyone put anything like this together or have any insight or thoughts into security/compliance questions to put in 
an RFP?

Many thanks,
Steve

PS Thanks to those that brought up the FOIA issue, this is not something that we had considered!!

Steve Andariese
Information Assurance
Information Technology Services
Northern Arizona University
Flagstaff, Arizona  86011

E-mail: Steve.Andariese () nau edu<mailto:Steve.Andariese () nau edu>
Voice:  928 523-6631
Fax:  928 523 7407

From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Ronald King
Sent: Monday, March 12, 2018 3:35 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] HECVAT Users List

It sounds as though the sharing of bid info varies. Here, we can mark portions as confidential. The state then exempts 
such from MPIA (MD FOIA) requests.

Ron

Ronald A. King, CISSP
Chief Information Security Officer
Morgan State University                                                                                           
Office: (443) 885-3372
1700 E. Cold Spring Ln.                                                                                           
Email:  ronald.king () morgan edu<mailto:ronald.king () morgan edu>
Baltimore, MD 21251                                                                                 URL:    
http://www.morgan.edu<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.morgan.edu&data=02%7C01%7CSteve.Andariese%40NAU.EDU%7C386621754fd647788e3708d58869a9d2%7C27d49e9f89e14aa099a3d35b57b2ba03%7C0%7C0%7C636564909832863260&sdata=vOZGcreyUwJwHinEMBYHQJKgccVxi5pyuBdXN0PFWuk%3D&reserved=0>

                                                Growing the future ... Leading the 
world<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.morgan.edu%2FDocuments%2FABOUT%2FStrategicPlan%2FStrategicPlan2011-21_Final.pdf&data=02%7C01%7CSteve.Andariese%40NAU.EDU%7C386621754fd647788e3708d58869a9d2%7C27d49e9f89e14aa099a3d35b57b2ba03%7C0%7C1%7C636564909832863260&sdata=PGJHLmXTfE69W5XpUeMcE6rtxVAb7m8hVcJpT9jWNaw%3D&reserved=0>


On Thu, Mar 1, 2018 at 3:45 PM, Theresa Rowe <rowe () oakland edu<mailto:rowe () oakland edu>> wrote:
Our Purchasing department does not allow any removal of any vendor submitted materials during the process.
The language inserted into every RFP states:
       All supporting documentation and manuals submitted with this proposal will become the property of the University.

Once it is our property, the material goes with our documents retention policy.  By policy, materials in a bid response 
are retained by Purchasing for 7 years.


  Our attorney assigned to FOIA does not allow anything submitted as a bid to be marked as confidential.

The actual language inserted into every RFP without exception is:


The Vendor understands that the University complies with the Michigan Freedom of Information Act (“FOIA”) and that the 
University may provide Confidential Information to other persons or entities upon receipt of a FOIA request.
__

So labeling anything as confidential doesn't get us any exemption.  This has certainly affected how I handle security 
materials in bid processes.

Just sharing with you all; you may want to double-check your processes, so that is the only reason I'm sharing.  File 
it into the "things I would ask about if I were interviewing for a job...".

Theresa

Theresa Rowe
Chief Information Officer
Oakland University


On Thu, Mar 1, 2018 at 8:27 AM, Penn, Blake C <blake.penn () security gatech edu<mailto:blake.penn () security gatech 
edu>> wrote:
You could always review the spreadsheet upon receipt and convert the responses to some numerical rating or the like and 
then destroy the original in cases like this.  That way only the scores could be FOIAed.

Regards,

Blake Penn
Information Security Policy and Compliance Manager
Cyber Security
Georgia Institute of Technology
(404) 385-5480<tel:(404)%20385-5480>

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () 
LISTSERV EDUCAUSE EDU>] On Behalf Of Theresa Rowe
Sent: Wednesday, February 28, 2018 13:06

To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] HECVAT Users List

We've hit a stumbling block on asking vendors to issue a security statement or spreadsheet like this as we received an 
interpretation that as a public university, any vendor response received in the bid process could be requested under 
FOIA and the open public bids process. If they said they wouldn't allow sharing, we couldn't guarantee that the 
response would not be shared. We started telling vendors this, and they quit agreeing to submit anything.  We try to 
get at this review later and not part of the procurement process.

Theresa

Theresa Rowe
Chief Information Officer
Oakland University


On Thu, Feb 22, 2018 at 11:23 AM, Gregg, Christopher S. <csgregg () stthomas edu<mailto:csgregg () stthomas edu>> wrote:
We use our own set of standard questions currently but I am trying to move us to using the HECVAT.  For those who 
started to use the HECVAT, I am wondering if you have developed criteria for when to use it and when to use something 
even lighter than the lite version?  For example, are you tying the use of the tool to specific cost ranges or data 
security classifications used by the solution in question?

I ask because my team (contracts, acquisition and budget fall in my area as well) is concerned that even the lite 
version will be onerous to apply to all cloud acquisitions.

Thanks,

Chris


Chris Gregg
Associate Vice President of Information Security & Risk Management, CISO
Information Technology Services (ITS)
csgregg () stthomas edu<mailto:csgregg () stthomas edu>
p 1 (651) 962-6265<tel:(651)%20962-6265>
University of St. Thomas | 
stthomas.edu<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__www.stthomas.edu%26d%3DDwMFaQ%26c%3D0CCt47_3RbNABITTvFzZbA%26r%3DhF9utfnfkGfY793x81M4Gr0nwxs9KYTZ6TUPUh4wPjs%26m%3D58FD4LfApOVbOAUmM1Tyqftjr7SK3pB8N2T-E6YREaw%26s%3DXycycZ6avhUIRhekfz-ynS7PXWnvdon9FsmWVsJDIx0%26e%3D&data=02%7C01%7CSteve.Andariese%40NAU.EDU%7C386621754fd647788e3708d58869a9d2%7C27d49e9f89e14aa099a3d35b57b2ba03%7C0%7C0%7C636564909832863260&sdata=NTr5iULA3ajq9I6u5i1OOgrVJQ%2F9cIBAse2FsfZklBg%3D&reserved=0>



From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () 
LISTSERV EDUCAUSE EDU>] On Behalf Of Brian T. Huntley
Sent: Thursday, February 22, 2018 5:41 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] HECVAT Users List

We started using the HECVAT late in 2017 as well.

We've incorporated it into the purchasing process, so a PO cannot be issued until we're satisfied with the responses.  
This gets us in at the ground floor for new contracts and enables us to insert ourselves in renewals of existing 
contracts.

So far, we've had occasion for three vendors to do it.  Based on the type of data we were sharing with them, the Lite 
version seemed most appropriate.  One vendor already had one done, the other two had never heard of it and took a 
couple of weeks to complete it but didn't really complain about the process.

None of them were willing to have their completed HECVAT's nor their willingness to provide a completed HECVAT shared.

Brian



Brian T. Huntley, CISSP
Director of Network Services and Information Security
Office of Information Technology
Clarkson University
315.268.6723<tel:(315)%20268-6723>

On Wed, Feb 21, 2018 at 8:46 PM, Ken Connelly <ken.connelly () uni edu<mailto:ken.connelly () uni edu>> wrote:
In general, are you (collective you, not just Mark) using the full-blown
HECVAT or the HECVAT Lite?

- ken

On 2/21/18 4:29 PM, Mark Dieterich wrote:

We've been telling vendors that EDU customers are adopting this, but
haven't had a sense of how widespread the adoption has been. I got the
green light have Brown listed, so we will be adding our name to the list.

When this first came about, there was discussion on developing a
sharing platform where completed HECVATS or the fact that a vendor has
filled out a HECVAT, depending on their wishes, could be listed. Are
there any developments with this? I think we actually have one vendor
who indicated we could share and a few that gave us permission to list
them, it would be great if we could actually do something with these.

Thanks,

Mark

On Wed, Feb 21, 2018 at 1:20 PM, Allen, Jon <Jon_Allen () baylor edu<mailto:Jon_Allen () baylor edu>
<mailto:Jon_Allen () baylor edu<mailto:Jon_Allen () baylor edu>>> wrote:

    Hello!



    The 2019 Higher Education Cloud Vendor Assessment Tool (HECVAT)
    working group is devoting effort to getting the word out about
    institutional HECVAT adoption.  We want to create a list of
    institutions that are using the HECVAT to publish on the HECVAT
    web page
    
(https://library.educause.edu/resources/2016/10/higher-education-cloud-vendor-assessment-tool<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__na01.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Flibrary.educause.edu-252Fresources-252F2016-252F10-252Fhigher-2Deducation-2Dcloud-2Dvendor-2Dassessment-2Dtool-26data-3D02-257C01-257Ccsgregg-2540STTHOMAS.EDU-257Cb2776680113247fa9be908d579e93bb6-257Ca081ff79318c45ec95f338ebc2801472-257C1-257C0-257C636548965020060290-26sdata-3DPli-252F5nnEvAR0-252Bltu5pIHBVqzJypA0jXs1wFDd7cDMVc-253D-26reserved-3D0%26d%3DDwMFaQ%26c%3D0CCt47_3RbNABITTvFzZbA%26r%3DhF9utfnfkGfY793x81M4Gr0nwxs9KYTZ6TUPUh4wPjs%26m%3D58FD4LfApOVbOAUmM1Tyqftjr7SK3pB8N2T-E6YREaw%26s%3DZfJL9JuvTxHmQ5z8Ih0kxOcs6ihQm1syMfhR7b22ZDE%26e%3D&data=02%7C01%7CSteve.Andariese%40NAU.EDU%7C386621754fd647788e3708d58869a9d2%7C27d49e9f89e14aa099a3d35b57b2ba03%7C0%7C0%7C636564909832863260&sdata=LP7iyjyN9jrB27g3O2aNWt4%2F1B5q3VS70z7P107XTc4%3D&reserved=0><https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.google.com%2Furl%3Fq%3Dhttps%3A%2F%2Flibrary.educause.edu%2Fresources%2F2016%2F10%2Fhigher-education-cloud-vendor-assessment-tool%26sa%3DD%26ust%3D1519160086542000%26usg%3DAFQjCNHtq6sVc7M6Yijyrp-FyIIhP7-g3A&data=01%7C01%7Cjon_allen%40baylor.edu%7C2f31c9f2ae8048feb12908d5789c6998%7C22d2fb35256a459bbcf4dc23d42dc0a4%7C1&sdata=xWyOTuLEnGCCgx273bRaeoOn%2FF5jzLxFimJ28wRO8BQ%3D&reserved=0<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__na01.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fwww.google.com-252Furl-253Fq-253Dhttps-253A-252F-252Flibrary.educause.edu-252Fresources-252F2016-252F10-252Fhigher-2Deducation-2Dcloud-2Dvendor-2Dassessment-2Dtool-2526sa-253DD-2526ust-253D1519160086542000-2526usg-253DAFQjCNHtq6sVc7M6Yijyrp-2DFyIIhP7-2Dg3A-26data-3D01-257C01-257Cjon-5Fallen-2540baylor.edu-257C2f31c9f2ae8048feb12908d5789c6998-257C22d2fb35256a459bbcf4dc23d42dc0a4-257C1-26sdata-3DxWyOTuLEnGCCgx273bRaeoOn-252FF5jzLxFimJ28wRO8BQ-253D-26reserved-3D0%26d%3DDwMFaQ%26c%3D0CCt47_3RbNABITTvFzZbA%26r%3DhF9utfnfkGfY793x81M4Gr0nwxs9KYTZ6TUPUh4wPjs%26m%3D58FD4LfApOVbOAUmM1Tyqftjr7SK3pB8N2T-E6YREaw%26s%3DClVprWlmMzAx0xA0CcXEGuJI0EgKyI4DVCg01-epkmY%26e%3D&data=02%7C01%7CSteve.Andariese%40NAU.EDU%7C386621754fd647788e3708d58869a9d2%7C27d49e9f89e14aa099a3d35b57b2ba03%7C0%7C0%7C636564909832863260&sdata=P4RmfYttJ8dykUZ2gbyWRjqFaZA4N1dDFKWCbO%2FWqyY%3D&reserved=0>>).
    The purpose of this list is two-fold: First, to demonstrate HECVAT
    adoption at higher education institutions (so that vendors will
    want to participate in completing a HECVAT). Second, to provide a
    list of HECVAT references (so that institutions can contact their
    peers with HECVAT questions). If you are interested in being
    listed on the webpage in this manner, please fill out this form.
    Institutional names only (not contact information) will be listed
    on the webpage.



    If you would like your institution to be listed in this way,
    please complete our form:



    
https://goo.gl/forms/BJlson23HVDMy1Q63<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__na01.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fgoo.gl-252Fforms-252FBJlson23HVDMy1Q63-26data-3D02-257C01-257Ccsgregg-2540STTHOMAS.EDU-257Cb2776680113247fa9be908d579e93bb6-257Ca081ff79318c45ec95f338ebc2801472-257C1-257C0-257C636548965020060290-26sdata-3DQt844LaBdFpqdxp-252FPBwXv-252FC-252B-252BfF62hoy83vRAkse1Us-253D-26reserved-3D0%26d%3DDwMFaQ%26c%3D0CCt47_3RbNABITTvFzZbA%26r%3DhF9utfnfkGfY793x81M4Gr0nwxs9KYTZ6TUPUh4wPjs%26m%3D58FD4LfApOVbOAUmM1Tyqftjr7SK3pB8N2T-E6YREaw%26s%3DqVLtb4IdAMHskCyRHrdUk-xqkxicyVDXHFjL1QhD2dc%26e%3D&data=02%7C01%7CSteve.Andariese%40NAU.EDU%7C386621754fd647788e3708d58869a9d2%7C27d49e9f89e14aa099a3d35b57b2ba03%7C0%7C0%7C636564909832863260&sdata=V4c0AZXBE%2FZALuMHsvbB7qtVpkxNqv5nkd7rL0iPWEU%3D&reserved=0><https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgoo.gl%2Fforms%2FBJlson23HVDMy1Q63&data=01%7C01%7Cjon_allen%40baylor.edu%7C2f31c9f2ae8048feb12908d5789c6998%7C22d2fb35256a459bbcf4dc23d42dc0a4%7C1&sdata=BjbsQBbg%2FPZVtOhlWIHMTXXOSHq1TTzBXwqVNMfqoQk%3D&reserved=0<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__na01.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fgoo.gl-252Fforms-252FBJlson23HVDMy1Q63-26data-3D01-257C01-257Cjon-5Fallen-2540baylor.edu-257C2f31c9f2ae8048feb12908d5789c6998-257C22d2fb35256a459bbcf4dc23d42dc0a4-257C1-26sdata-3DBjbsQBbg-252FPZVtOhlWIHMTXXOSHq1TTzBXwqVNMfqoQk-253D-26reserved-3D0%26d%3DDwMFaQ%26c%3D0CCt47_3RbNABITTvFzZbA%26r%3DhF9utfnfkGfY793x81M4Gr0nwxs9KYTZ6TUPUh4wPjs%26m%3D58FD4LfApOVbOAUmM1Tyqftjr7SK3pB8N2T-E6YREaw%26s%3DQr0NMr6zym_DmXWT_l5rmNn3vVIFTStwUyAnU5WVKbU%26e%3D&data=02%7C01%7CSteve.Andariese%40NAU.EDU%7C386621754fd647788e3708d58869a9d2%7C27d49e9f89e14aa099a3d35b57b2ba03%7C0%7C0%7C636564909832863260&sdata=B4MGTO9qDFhty02CFo4eBUMTXDZ5e%2BRl%2B7k6ygfnzMk%3D&reserved=0>>



    Thanks,* *

    * *

    *_________________________________*

    *Jon Allen, CISSP, EnCE *

    *Assistant Vice President & *

    *Chief Information Security Officer*

    *Baylor University *

    *254.710.4793<tel:(254)%20710-4793> <tel:%28254%29%20710-4793>*

    * *

    /Users/jon_allen/Library/Containers/com.microsoft.Outlook/Data/Library/Caches/Signatures/signature_1325000890

    /        
//www.baylor.edu/bearaware/<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__na01.safelinks.protection.outlook.com_-3Furl-3Dhttp-253A-252F-252Fwww.baylor.edu-252Fbearaware-252F-26data-3D02-257C01-257Ccsgregg-2540STTHOMAS.EDU-257Cb2776680113247fa9be908d579e93bb6-257Ca081ff79318c45ec95f338ebc2801472-257C1-257C0-257C636548965020060290-26sdata-3Dm5L-252FL28-252FjwP5DM22FXQ6eq5BaOfRRVVKeWVLdXCApac-253D-26reserved-3D0%26d%3DDwMFaQ%26c%3D0CCt47_3RbNABITTvFzZbA%26r%3DhF9utfnfkGfY793x81M4Gr0nwxs9KYTZ6TUPUh4wPjs%26m%3D58FD4LfApOVbOAUmM1Tyqftjr7SK3pB8N2T-E6YREaw%26s%3DU4JZXhDcHwgOoK3qkwY8YMAulnmrV4t0P0fbF1Ic86E%26e%3D&data=02%7C01%7CSteve.Andariese%40NAU.EDU%7C386621754fd647788e3708d58869a9d2%7C27d49e9f89e14aa099a3d35b57b2ba03%7C0%7C0%7C636564909832863260&sdata=Y4tSQ7pQHx3z71MF3T3NutT00ONzZXhgjBlYgC8HF90%3D&reserved=0><http://www.baylor.edu/bearaware<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__na01.safelinks.protection.outlook.com_-3Furl-3Dhttp-253A-252F-252Fwww.baylor.edu-252Fbearaware-26data-3D02-257C01-257Ccsgregg-2540STTHOMAS.EDU-257Cb2776680113247fa9be908d579e93bb6-257Ca081ff79318c45ec95f338ebc2801472-257C1-257C0-257C636548965020060290-26sdata-3D8PuA1fMxqTjBCQWjlxPugxkTzC4vD99Tn0FAPpXND2w-253D-26reserved-3D0%26d%3DDwMFaQ%26c%3D0CCt47_3RbNABITTvFzZbA%26r%3DhF9utfnfkGfY793x81M4Gr0nwxs9KYTZ6TUPUh4wPjs%26m%3D58FD4LfApOVbOAUmM1Tyqftjr7SK3pB8N2T-E6YREaw%26s%3DwYdiOTQD76OmKGQKsIn9hA3t3yKCw2H0Pc_Vma7EIj4%26e%3D&data=02%7C01%7CSteve.Andariese%40NAU.EDU%7C386621754fd647788e3708d58869a9d2%7C27d49e9f89e14aa099a3d35b57b2ba03%7C0%7C0%7C636564909832863260&sdata=01qR5fNMayyoTMpoHOA90bzbf2ASlni%2BO9r3G2bmFSc%3D&reserved=0>>




--
- Ken
=================================================================
Ken Connelly                       Director, Information Security
Information Security Officer          University of Northern Iowa
email: Ken.Connelly () uni edu<mailto:Ken.Connelly () uni edu>   p: (319) 273-5850<tel:(319)%20273-5850> f: (319) 
273-7373<tel:(319)%20273-7373>

Any request to divulge your UNI password via e-mail is fraudulent!
Previous By Date Next
Previous By Thread Next

Current thread: