Educause Security Discussion mailing list archives
Re: HECVAT Tool with Current Vendors
From: Clark Gaylord <cgaylord () VT EDU>
Date: Wed, 22 Jan 2020 08:57:56 -0500
For a 6+ digit RFP, HECVAT can be a great focus to a conversation regarding security practices. If you require it of every purchase, your community will find themselves unable to purchase $40 SaaS products and you will be burned in effigy. HECVAT (even it's so-called "lite" version) is a *very* onerous activity for the majority of small cloud vendors, most of whom have predefined services, some of which outside their control, with low marginal revenue per sale (and similarly low risk for you). I do recommend you have conversations with vendors regarding their security practices, and even promote HECVAT as a "community standard", but there is no joy in making it a non-negotiable requirement. I'd require IPv6 before requiring HECVAT; it's more indicative of general cluefulness. -- Clark Gaylord cgaylord () vt edu ... autocorrect may have improved this message ... On Mon, Jan 13, 2020, 11:40 Ronald Loneker <rloneker () cse edu> wrote:
Good Morning - We recently were made aware of, and decided to start using, the HECVAT tool with new vendors we use for future projects. I'm wondering whether we should go back to our current vendors offering cloud applications and have them complete the tool even though we're existing customers. Just asking for thoughts and whether anyone has done this before and gotten a lot of pushback from existing vendors. I think our IT auditors would be pleased if we have this information centralized. Ron Loneker, Jr. Director, IT Special Projects College of Saint Elizabeth Mahoney Library 2 Convent Road Morristown, NJ 07960 Phone: 973-290-4229 e-mail: rloneker () cse edu *CSE's IT department will never ask for your password, social security number or other personal information in an e-mail message.* *Please do not share any information with others!* ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- HECVAT Tool with Current Vendors Ronald Loneker (Jan 13)
- Re: HECVAT Tool with Current Vendors Frank Barton (Jan 13)
- Re: HECVAT Tool with Current Vendors Alexandre Adao (Jan 13)
- Re: HECVAT Tool with Current Vendors Cam Beasley (Jan 13)
- Re: [EXTERNAL]Re: [SECURITY] HECVAT Tool with Current Vendors Jason Fried (Jan 13)
- Re: HECVAT Tool with Current Vendors Dennis Bolton (Jan 22)
- Re: HECVAT Tool with Current Vendors Alexandre Adao (Jan 13)
- Re: HECVAT Tool with Current Vendors Madl, Michael (Jan 15)
- Re: HECVAT Tool with Current Vendors Wessam Maher (Jan 22)
- Re: HECVAT Tool with Current Vendors Clark Gaylord (Jan 22)
- Re: [External] Re: [SECURITY] HECVAT Tool with Current Vendors Thomas Dugas (Jan 23)
- Re: HECVAT Tool with Current Vendors Frank Barton (Jan 13)