Educause Security Discussion mailing list archives
Re: HECVAT alternative for On-Prem Vendors
From: Sue Rivera <srivera () CSUB EDU>
Date: Wed, 14 Nov 2018 20:08:22 +0000
Josh, I would like to be involved for the 3rd piece when you’re ready/ Have a breach free day! Thank you, Sue Rivera From: The EDUCAUSE Security Community Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Hillhouse, Bob (Bob) Sent: Wednesday, November 14, 2018 10:50 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] HECVAT alternative for On-Prem Vendors We would be interested in testing the OnPrem fork. -- Bob Hillhouse, CISSP Associate CIO & CISO The University of Tennessee, Knoxville From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> on behalf of Josh Callahan <josh.callahan () HUMBOLDT EDU<mailto:josh.callahan () HUMBOLDT EDU>> Reply-To: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> Date: Wednesday, November 14, 2018 at 10:24 AM To: "SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>" <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> Subject: Re: [SECURITY] HECVAT alternative for On-Prem Vendors We're talking a bit in the HECVAT working group about the possibility a third fork for this, maybe call it the HECVAT-OnPrem. I did a bit of analysis on the relevant sections and questions counts: Documentation (Full/Lite 6) Company ( Full/Lite 7) Application/Service Security (Full 17) (Lite 6) Authentication, Authorization, and Accounting (Full 17) (Lite 5) Change Management (Full 15) (Lite 4) Database ( Full/Lite 2) Policies, Procedures, and Processes (Full 20) (Lite 4) Product Evaluation (Full 2) (Lite 0) Quality Assurance (Full 5) (Lite 0) Using the full version as a base, we'd end up with an 81 question fork. One based on the lite would only be 34 questions. Do you folks have a preference? Anyone interesting in helping build/test a new version of the tool? -Josh On Fri, Nov 9, 2018 at 8:13 AM randy <marchany () vt edu<mailto:marchany () vt edu>> wrote: This is our "on-prem" vendor questionnaire that we've used in the past couple of years. It's at https://itpals.vt.edu/content/dam/itpals_vt_edu/newitasitedocs/it-procurement/it_security_questionnaire2.pdf<https://urldefense.proofpoint.com/v2/url?u=https-3A__itpals.vt.edu_content_dam_itpals-5Fvt-5Fedu_newitasitedocs_it-2Dprocurement_it-5Fsecurity-5Fquestionnaire2.pdf&d=DwMGaQ&c=8Ipd-S27WuaKn7LZs55QTnbDbMQSs_VN5Yh9G3ue5PM&r=eQ2dDGKkd-0ogW1TmJqIYA&m=kn19xGQ3tpngscZaZ3jcpGwpKYRPkSzpiakQu2G5DzY&s=BRVedrnm_jQyt9JGz97ZTpNEoPZFf8rOcsQZ9LubIFI&e=>. We took Notre Dame and IU's original questionnaires and modified them. We will be using HECVAT for more evals in the future.. Randy Marchany VA Tech IT Security Office and Lab On Fri, Nov 9, 2018 at 7:24 AM Belsito, Louis D <belsito () rowan edu<mailto:belsito () rowan edu>> wrote: I’ve been struggling with this issue as well. I’ve been using Gartner’s Security and Privacy Vendor Application Evaluation (VSPT Questionnaire) it’s a spreadsheet for basic security and privacy assessment of vendor applications. It’s not as clean and pretty as the HECVAT. It’s about 60 questions. ____________________________________ Lou Belsito, MBA, MISM, CISSP, CISA Manager, Information Security Risk Information Security Office Division of Information Resources & Technology Rowan University 201 Mullica Hill Rd., Glassboro, NJ 08028 T: 856-256-5725 Rowan.edu From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Tyler Newell Sent: Thursday, November 1, 2018 9:26 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] HECVAT alternative for On-Prem Vendors Community, We started using the HECVAT for cloud vendor assessments a little more than a year ago and have been very happy with it especially when a vendor has already filled one out so we aren’t waiting to receive it back. That said, we’ve had contract expirations for some of our on-premise vendors and wanted to run them through a similar process to properly assess their product(s). I wasn’t able to find a standardized assessment questionnaire like the HECVAT when it comes to on-premise, so I thought I would reach out to see if anyone had a document already created that they are willing to share. I appreciate your time for reading this. Thank you, //SIGNED// Tyler Newell, Information Security Analyst Bowling Green State University | Information Technology Services P: 419.372.0999 | tnewell () bgsu edu<mailto:tnewell () bgsu edu> | www.bgsu.edu/infosec<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.bgsu.edu_infosec&d=DwMGaQ&c=8Ipd-S27WuaKn7LZs55QTnbDbMQSs_VN5Yh9G3ue5PM&r=eQ2dDGKkd-0ogW1TmJqIYA&m=kn19xGQ3tpngscZaZ3jcpGwpKYRPkSzpiakQu2G5DzY&s=Uvh26MDTNsgi86oAU-kCh7HZOFtt-1SO0X5RVRentVw&e=> This e-mail, including any attachments, may contain information that is protected by law as privileged and confidential, and is transmitted for the sole use of the intended recipient. If you are not the intended recipient, you are hereby notified that any use, dissemination, copying or retention of this e-mail or the information contained herein is strictly prohibited. -- ------------------------------------------------- Josh Callahan Information Security Officer and CTO ITS :: Humboldt State University 1 Harpst St. Arcata CA 95521 707.826.3815
Current thread:
- HECVAT alternative for On-Prem Vendors Tyler Newell (Nov 01)
- Re: HECVAT alternative for On-Prem Vendors Laura Raderman (Nov 01)
- Re: HECVAT alternative for On-Prem Vendors Escue, Charles E (Nov 03)
- Re: HECVAT alternative for On-Prem Vendors Belsito, Louis D (Nov 09)
- Re: HECVAT alternative for On-Prem Vendors randy (Nov 09)
- Re: HECVAT alternative for On-Prem Vendors Pitt, Sharon (Nov 09)
- Re: HECVAT alternative for On-Prem Vendors Josh Callahan (Nov 14)
- Re: HECVAT alternative for On-Prem Vendors Nelson, Leonard Purvis (Nov 14)
- Re: HECVAT alternative for On-Prem Vendors Hillhouse, Bob (Bob) (Nov 14)
- Re: HECVAT alternative for On-Prem Vendors Sue Rivera (Nov 14)
- Re: HECVAT alternative for On-Prem Vendors randy (Nov 14)
- Re: HECVAT alternative for On-Prem Vendors Niranjan Davray (Nov 14)
- Re: HECVAT alternative for On-Prem Vendors randy (Nov 09)
- Re: HECVAT alternative for On-Prem Vendors McNeil, Sharon Mclawhorn (Nov 19)
- Re: HECVAT alternative for On-Prem Vendors Laura Raderman (Nov 01)