Educause Security Discussion mailing list archives
Re: [External] [SECURITY] Suggestion for use/modification to HECVAT
From: "Escue, Charles E" <cescue () IU EDU>
Date: Tue, 7 Jan 2020 20:03:42 +0000
Thank you for the feedback, Rick! As a member of the working group, I can confirm that this issue of vendor score vs. post-assessment score has been discussed and making these medications to the documents will be a high priority in the Phase V development cycle. I cannot comment of specifics at this time but your suffering is shared by all (at least for now). If you don’t mind, one of us may reach out to you to discuss further. Let me know. Charlie Charles Escue, CISSP, GCIH Manager, Extended Information Security Office of the Vice President for IT and CIO University Information Security Office Indiana University
On Dec 20, 2019, at 12:39, Richard Gould <Richard.Gould () ASU EDU> wrote: This message was sent from a non-IU address. Please exercise caution when clicking links or opening attachments from external sources. All, Any thoughts or alternatives to the idea of adding two columns in the Analyst Report to show the original Vendor score and the Analyst score. The Analyst score would be based on the overrides provided in column G typically rows 31 and beyond, which should have documentation on why the Analyst is overriding the Vendor score. We would also add a feature to easily add override rows for the analyst for any entry that the vendor provided. The goal is to show the vendors response and the resultant grade then document the analysts review with documentation. This will provide us a document that we can refer to for the periodic reviews and if any issues come up. Our analyst overrides or comments are necessary as they are specific to the context, and contract specifics of the project and the data. How do you handle the particulars of accepting or rejecting response lines? We dicussed using an additional document but rejected as keeping the two documents matched up would cause us more work when performing annual reviews. My apologies if this has already been discussed. VENDOR ANALYST Report Sections Max_Score Score Score % Score Score % Documentation 100 0 0% 0 0% Company 115 0 0% 0 0% Application Security 110 0 0% 0 0% Authentication, Authorization, and Accounting 100 0 0% 0 0% Business Continuity 55 0 0% 0 0% Change Management 80 0 0% 0 0% Data 225 0 0% 0 0% Database 80 0 0% 0 0% Datacenter 160 0 0% 0 0% Disaster Recovery 70 0 0% 0 0% Firewalls, IDS, IPS, and Networking 140 0 0% 0 0% Physical Security 80 0 0% 0 0% Policies, Procedures, and Processes 160 0 0% 0 0% Systems Management & Configuration 30 0 0% 0 0% Vulnerability Scanning 80 0 0% 0 0% Overall Score F 0 0.00% 0 0.00% Best Regards, Rick Richard (Rick) Gould Director, Research Technology Operations ASU Knowledge Enterprise Advancing Research, Entrepreneurship and Economic Development Research Technology Office researchmatters.asu.edu <https://researchmatters.asu.edu/> | research.asu.edu <https://research.asu.edu/> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community <https://www.educause.edu/community>
********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Attachment:
smime.p7s
Description:
Current thread:
- Re: [External] [SECURITY] Suggestion for use/modification to HECVAT Escue, Charles E (Jan 07)