Re: [External] [SECURITY] Suggestion for use/modification to HECVAT

["Escue, Charles E" <cescue () IU EDU>]

Thank you for the feedback, Rick! As a member of the working group, I can confirm that this issue of vendor score vs. 
post-assessment score has been discussed and making these medications to the documents will be a high priority in the 
Phase V development cycle. I cannot comment of specifics at this time but your suffering is shared by all (at least for 
now).

If you don’t mind, one of us may reach out to you to discuss further. Let me know.


Charlie


Charles Escue, CISSP, GCIH
Manager, Extended Information Security
Office of the Vice President for IT and CIO 
University Information Security Office
Indiana University


> On Dec 20, 2019, at 12:39, Richard Gould <Richard.Gould () ASU EDU> wrote:
>
> This message was sent from a non-IU address. Please exercise caution when clicking links or opening attachments from 
> external sources.
>
> All,
> Any thoughts or alternatives to the idea of adding two columns in the Analyst Report to show the original Vendor 
> score and the Analyst score.
> The Analyst score would be based on the overrides provided in  column G typically rows 31 and beyond, which should 
> have documentation on why the Analyst is overriding the Vendor score.
> We would also add a feature to easily add override rows for the analyst for any entry that the vendor provided.
>  
> The goal is to show the vendors response and the resultant grade then document the analysts review with 
> documentation.  This will provide us a document that we can refer to for the periodic reviews and if any issues come 
> up.
> Our analyst overrides or comments are necessary as they are specific to the context, and contract specifics of the 
> project and the data.
>  
> How do you handle the particulars of accepting or rejecting response lines?  We dicussed using an additional document 
> but rejected as keeping the two documents matched up would cause us more work when performing annual reviews.
>  
> My apologies if this has already been discussed.
>  
>  
>  
> VENDOR
>  
> ANALYST
> Report Sections
> Max_Score
> Score
> Score %
> Score
> Score %
> Documentation
> 100
> 0
> 0%
> 0
> 0%
> Company
> 115
> 0
> 0%
> 0
> 0%
> Application Security
> 110
> 0
> 0%
> 0
> 0%
> Authentication, Authorization, and Accounting
> 100
> 0
> 0%
> 0
> 0%
> Business Continuity
> 55
> 0
> 0%
> 0
> 0%
> Change Management
> 80
> 0
> 0%
> 0
> 0%
> Data
> 225
> 0
> 0%
> 0
> 0%
> Database
> 80
> 0
> 0%
> 0
> 0%
> Datacenter
> 160
> 0
> 0%
> 0
> 0%
> Disaster Recovery
> 70
> 0
> 0%
> 0
> 0%
> Firewalls, IDS, IPS, and Networking
> 140
> 0
> 0%
> 0
> 0%
> Physical Security
> 80
> 0
> 0%
> 0
> 0%
> Policies, Procedures, and Processes
> 160
> 0
> 0%
> 0
> 0%
> Systems Management & Configuration
> 30
> 0
> 0%
> 0
> 0%
> Vulnerability Scanning
> 80
> 0
> 0%
> 0
> 0%
> Overall Score
> F
> 0
> 0.00%
> 0
> 0.00%
>  
> Best Regards,
> Rick
>
> Richard (Rick) Gould
> Director, Research Technology Operations
> ASU Knowledge Enterprise
> Advancing Research, Entrepreneurship and Economic Development
> Research Technology Office
> researchmatters.asu.edu <https://researchmatters.asu.edu/> | research.asu.edu <https://research.asu.edu/>
> **********
> Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
> person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
> and subscription information can be found at https://www.educause.edu/community <https://www.educause.edu/community>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Attachment: smime.p7s
Description: