Re: HECVAT alternative for On-Prem Vendors

["McNeil, Sharon Mclawhorn" <McLawhorns () ECU EDU>]

Josh,

We would be interested in helping with this process as well.


Thanks,
_______________________________________________________
Sharon McNeil
IT Security Specialist
ECU | Information Technology & Computing Services (ITCS)
209 Cotanche St. | Office 166-A | Mail Stop 229
Greenville, NC 27858-4353

Office: 252-328-9112 | mclawhorns () ecu edu<mailto:mclawhorns () ecu edu> | ecu.edu/itcs<http://www.ecu.edu/itcs>
[ITCS Logo]
_______________________________________________________

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Josh Callahan
Sent: Wednesday, November 14, 2018 11:24 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] HECVAT alternative for On-Prem Vendors

EXTERNAL SENDER: This email was sent from outside East Carolina University. Take caution when replying, forwarding, 
opening attachments, or taking other actions based on the content of this email. If you believe there has been an 
attempt to impersonate a member of East Carolina, please forward this email to PHISH () ecu edu<mailto:phish () ecu 
edu>.


We're talking a bit in the HECVAT working group about the possibility a third fork for this, maybe call it the 
HECVAT-OnPrem.  I did a bit of analysis on the relevant sections and questions counts:

Documentation (Full/Lite 6)
Company ( Full/Lite   7)
Application/Service Security (Full 17) (Lite 6)
Authentication, Authorization, and Accounting (Full 17) (Lite 5)
Change Management (Full 15) (Lite 4)
Database ( Full/Lite   2)
Policies, Procedures, and Processes (Full 20) (Lite 4)
Product Evaluation (Full 2) (Lite 0)
Quality Assurance (Full 5) (Lite 0)

Using the full version as a base, we'd end up with an 81 question fork.  One based on the lite would only be 34 
questions.  Do you folks have a preference?

Anyone interesting in helping build/test a new version of the tool?

-Josh


On Fri, Nov 9, 2018 at 8:13 AM randy <marchany () vt edu<mailto:marchany () vt edu>> wrote:
This is our "on-prem" vendor questionnaire that we've used in the past couple of years. It's at 
https://itpals.vt.edu/content/dam/itpals_vt_edu/newitasitedocs/it-procurement/it_security_questionnaire2.pdf<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fitpals.vt.edu%2Fcontent%2Fdam%2Fitpals_vt_edu%2Fnewitasitedocs%2Fit-procurement%2Fit_security_questionnaire2.pdf&data=02%7C01%7Cmclawhorns%40ECU.EDU%7C55808b25b59a4743c14d08d64a4d9424%7C17143cbb385c4c45a36ac65b72e3eae8%7C1%7C1%7C636778094397359449&sdata=gEcuVvAApiGDrvpMuN%2BaWzShgDrFb4fnAKJPYWsWMOs%3D&reserved=0>.
 We took Notre Dame and IU's original questionnaires and modified them.

We will be using HECVAT for more  evals in the future..

Randy Marchany
VA Tech IT Security Office and Lab


On Fri, Nov 9, 2018 at 7:24 AM Belsito, Louis D <belsito () rowan edu<mailto:belsito () rowan edu>> wrote:
I’ve been struggling with this issue as well.  I’ve been using Gartner’s Security and Privacy Vendor Application 
Evaluation (VSPT Questionnaire) it’s a spreadsheet for basic security and privacy assessment of vendor applications.  
It’s not as clean and pretty as the HECVAT.  It’s about 60 questions.


____________________________________

Lou Belsito, MBA, MISM, CISSP, CISA
Manager, Information Security Risk
Information Security Office
Division of Information Resources & Technology

Rowan University
201 Mullica Hill Rd., Glassboro, NJ 08028
T: 856-256-5725
Rowan.edu

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Tyler Newell
Sent: Thursday, November 1, 2018 9:26 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] HECVAT alternative for On-Prem Vendors

Community,

We started using the HECVAT for cloud vendor assessments a little more than a year ago and have been very happy with it 
especially when a vendor has already filled one out so we aren’t waiting to receive it back.

That said, we’ve had contract expirations for some of our on-premise vendors and wanted to run them through a similar 
process to properly assess their product(s). I wasn’t able to find a standardized assessment questionnaire like the 
HECVAT when it comes to on-premise, so I thought I would reach out to see if anyone had a document already created that 
they are willing to share.

I appreciate your time for reading this.

Thank you,

//SIGNED//
Tyler Newell, Information Security Analyst
Bowling Green State University | Information Technology Services
P: 419.372.0999 | tnewell () bgsu edu<mailto:tnewell () bgsu edu> | 
www.bgsu.edu/infosec<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.bgsu.edu%2Finfosec&data=02%7C01%7Cmclawhorns%40ECU.EDU%7C55808b25b59a4743c14d08d64a4d9424%7C17143cbb385c4c45a36ac65b72e3eae8%7C1%7C1%7C636778094397359449&sdata=We1AFE7yW5bFM4YRbkvD28esr81IlgAK4e2RbR%2BGDTM%3D&reserved=0>

This e-mail, including any attachments, may contain information that is protected by law as privileged and 
confidential, and is transmitted for the sole use of the intended recipient.  If you are not the intended recipient, 
you are hereby notified that any use, dissemination, copying or retention of this e-mail or the information contained 
herein is strictly prohibited.



--
-------------------------------------------------
Josh Callahan
Information Security Officer and CTO
ITS :: Humboldt State University
1 Harpst St. Arcata CA 95521  707.826.3815