Re: [External] Re: [SECURITY] HECVAT and HECVAT lite Threshold

["Escue, Charles E" <cescue () IU EDU>]

Zeshan, Darlene, and others,

It is great to see these questions being asked and hopefully I can shed some light on the current intent of the 
scoring. I am a member of the HEISC working group that develops the HECVAT (and more) and can give some background here.

The newly introduced scoring system (found in version 2.00 and later) is an educated-guess baseline set by the working 
group just to "start somewhere". The question- and section-based scoring will be assessed over the next year and 
adjusted as needed - these changes will be driven by the community so feedback is welcome! Come to EDUCAUSE conferences 
and come speak with the working group and others in the community - there are many of us doing this same thing and we 
want to help!

At this point, we do not really know the baseline of “good” - it could be 80, 70, or even a lower score, depending on 
your use case of the product/service/platform. The “passing score” is based on the use case of the data being shared 
and the risk tolerance of your organization. This is still a subjective part of the process and will always be. That 
said, the working group is working to better document the how/what/why’s of the HECVAT process to better assist the 
community with its adoption.

Over time, we (as in the royal we) can begin to compare the scores across vendors and adjust our expectations and/or 
scoring as needed.  Right now, the scoring provides a quick snapshot of the products security state that helps analysts 
prioritize their follow-up question and/or research.

At Indiana University, we use the analyst-populated Analyst Report score as the starting point of assessment, not just 
the score that comes straight from the vendor. There are some questions in the Lite and Full versions of the HECVAT 
that must remain qualitative in nature, so the Analyst Report tab provides a mechanism to convert the qualitative value 
to a quantitative value - that is what it was designed for. Once the Analyst Report values are populated by your 
institution's reviewer (analyst), the actual “base score” is revealed. At that point, deficient areas of security are 
further scrutinized by the analysts. 

One tip: HECVAT questions are not equally valued by every institution. What is acceptable by one institution may not be 
for another, based on their risk tolerance and their institutions data classifications. Because of that, it will be 
difficult to define commodity “passing scores” that are useful for all institutions, but we can try!


Charlie


Charles Escue, CISSP, GCIH
Manager, Extended Information Security
University Information Security Office
Indiana University



> On Jun 27, 2019, at 18:23, Quackenbush, Darlene H - quackedh <quackedh () JMU EDU> wrote:
>
> This message was sent from a non-IU address. Please exercise caution when clicking links or opening attachments from 
> external sources.
>
> Zeshan and others,
>  
> I certainly don’t want to distract from your original question.  But as others respond, I would also be interested to 
> know what weight/consideration you give to the scoring and how reliable you find it to be across various submissions. 
>  
> At JMU we have not attempted to set a “passing score” and instead use the scores only as a jumping off point to 
> evaluate the HECVAT response.  Just wonder what we might be missing.
>  
> Regards,
> --dq
>  
>  
>  
> Darlene H. Quackenbush
> James Madison University
> Information Technology
> MCS 5733
> Harrisonburg, VA 22801
> 540.568.3905
>  
>  
>  
>  
>  
>  
> From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV 
> EDUCAUSE EDU>> On Behalf Of Zeshan Siddiqui
> Sent: Thursday, June 27, 2019 5:30 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU>
> Subject: [SECURITY] HECVAT and HECVAT lite Threshold
>  
> Hello
>  
> We are in the process of setting our HECVAT and HECVAT LITE threshold (analyst Tab).
>  
> I am looking for how and what you set your passing score for each is and how you came to that decision.
>  
>  
> Kindest regards,
>  
> Zeshan
>  
> Zeshan Siddiqui
> Information Technology 
> Pima Community College
> District Office
> (520) 206-4579
>  
>  
> ~ If what you did yesterday seems big to you today, then you have not done anything today.

Attachment: smime.p7s
Description: