Educause Security Discussion mailing list archives
Re: HECVAT - Vendor Refusal
From: Kevin Cleary <kpcleary () BUFFALO EDU>
Date: Tue, 15 Jun 2021 14:45:55 +0000
While we don't use the HECVAT in all instances we use a home grown tool that is heavily inspired by it. In some instances, if the vendor is able to provide alternate documentation such as a HECVAT, SOC2, third party assessment, etc., we can use these documents instead for the review process. We only require completion of a vendor review process when: * A certain dollar threshold is met * The data classification meets our category 1 or 2 standards * Some type of expectation exists for backend system integration (such as SSO) and/or data provisioning. We've had some instances where a vendor has refused to complete this and provide no other documentation as it was "too much work" for them. My off the cuff response to this is typically "well how bad do they want to do business with us". My internal monologue is "well if this is too difficult, how good of a job do they do maintaining security on their systems" :-P. Regardless of their reasons for not completing this process, we do have an exception process in place: In the event the vendor is unable to provide sufficient evidence of a well-implemented security program and the business unit persists with the purchase despite being told of the risks involved, our VP CIO and the Dean/VP of the area pushing for the acquisition have to sign off on the exception. -- Kevin Cleary, CISSP Interim Information Security Officer Manager, Systems Software University at Buffalo Information Technology 305 Computing Center Buffalo NY 14260-1407 Phone: 716-645-4767 From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of King, Ronald A. Sent: Tuesday, June 15, 2021 10:34 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] HECVAT - Vendor Refusal These are some very good points. I especially like the comment it's your responsibility to perform your evaluations as you see fit. The classification of the data is the institutions responsibility, not the vendor. That is a red flag that and would make us less likely to use their product. They do not understand your needs. I have found that once the vendors do complete it, they are relieved they have and reuse it for new clients. I have even had one VP report to me that the fact they had completed it for my institution gave them opportunities with other institutions. They increased business because of it. What vendor would not want to do that. Thank you, Ronald King Director of OIT Security With Office 365, you can report a message as phishing or junk. Using Outlook in a web browser or the mobile Outlook app, start by clicking/tapping "Junk/Report Junk!" Office of Information Technology (757) 823-2916 (Office) <mailto:raking () nsu edu> raking () nsu edu <https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.nsu.ed u%2F&data=04%7C01%7Ckpcleary%40buffalo.edu%7Ce50f07d899b24abfdf7a08d9300aacc b%7C96464a8af8ed40b199e25f6b50a20250%7C0%7C0%7C637593644681249077%7CUnknown% 7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn 0%3D%7C1000&sdata=d%2BHKJE%2F9KA4DxEzw0PqFMNsLuRIkJHQEMPokWBeLjz8%3D&reserve d=0> www.nsu.edu @NSUCISO (Twitter) From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> > On Behalf Of Kimmitt, Jonathan Sent: Tuesday, June 15, 2021 10:15 AM To: SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] HECVAT - Vendor Refusal CAUTION: This email originated from OUTSIDE of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe! Ah.. Okay.. So, what I do, in lieu of the HECVAT (and I can't choose a different vendor), is a standard data rider agreement that we ask them to sign along with the contract that covers most of the critical pieces.. I'm happy to share if interested... -Jonathan ~ Jonathan Kimmitt CISSP, FIP, CDPSE, CIPP/E, CIPM, CIPT, OTCP, GLEG, GPEN, GSNA, PCIP, CEH Chief Information Security Officer Information Technology The University of Tulsa 918.631.2743 From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> > On Behalf Of Menne, Michael S Sent: Tuesday, June 15, 2021 9:09 AM To: SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] HECVAT - Vendor Refusal Johnathon, They disagree with the intent of the HECVAT vs lite. They consider the HECVAT to be only for he most restricted data (HIPAA, PCI, SSN, etc). They consider the HEVAT lite to be good enough for "sensitive" data. This is a vendor that a department on campus want to move an existing on-premise solution to a cloud version. I like the scoring feature of the HECVAT. I haven't used the HECVAT lite a lot so far. The HECVAT has a good set of questions that allow me to get assurances of how a vendor handles their data security. From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> > On Behalf Of Kimmitt, Jonathan Sent: Tuesday, June 15, 2021 8:45 AM To: SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] HECVAT - Vendor Refusal Did they give you a reason why they won't fill it out? I've had several that have refused. some we move to the next vendor, some we have signed NDA's to get the information... -Jonathan From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> > On Behalf Of Ruth Ginzberg Sent: Tuesday, June 15, 2021 8:43 AM To: SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] HECVAT - Vendor Refusal Agree with Isaac . AND (perhaps because of the success of the HECVAT to date.) one of the things I'm finding I need to ask for is a RECENT version of the HECVAT . been getting some moldy oldies from some vendors that really need to be updated to the current version. Ruth Ginzberg 608-890-3961 From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> > On Behalf Of Isaac Straley Sent: Tuesday, June 15, 2021 8:40 AM To: SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] HECVAT - Vendor Refusal *External Email: Use caution responding, opening attachments, or clicking on links.* Obvious but just so it's said: It is not up to the vendor what kind of assurance your program needs. It is entirely their choice if they want to do what you ask for or not. Depending on the risk and our internal capacity to analyze, I've accepted other formats of assurance. But I take a hard look at suppliers who resist providing information, especially in a reusable vehicle like this. The answer to "why won't they do this" is an important factor. The HECVAT isn't perfect but we've collectively really done a lot of good work to reduce the overhead on suppliers and it's a good faith effort to ask for it, in my opinion. Isaac -- Isaac Straley Chief Information Security Officer University of Toronto From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> > on behalf of "Menne, Michael S" <000002306ce3cd04-dmarc-request () LISTSERV EDUCAUSE EDU <mailto:000002306ce3cd04-dmarc-request () LISTSERV EDUCAUSE EDU> > Reply-To: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> > Date: Tuesday, June 15, 2021 at 6:28 AM To: "SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> " <SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> > Subject: [SECURITY] HECVAT - Vendor Refusal EXTERNAL EMAIL: For those that have used the HECVAT and HECVATlite, what has your response been to a vendor who refuses to fill out the full HECVAT and claims that HECVAT is only required for "sensitive data" (SSN, CC#, etc.)? We have used the HECVAT lite only for situations where the data is completely public. In all other situations, we've used the HECVAT. Most vendors take a few attempts to get the answers we are looking for, but I've only had one other that has said they won't fill it out at all. Thank you, Michael Menne, CISSP Chief Information Security Officer IT Solutions Information Security Minnesota State University, Mankato <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmankato.m nsu.edu%2Fcyberaware&data=04%7C01%7Ckpcleary%40buffalo.edu%7Ce50f07d899b24ab fdf7a08d9300aaccb%7C96464a8af8ed40b199e25f6b50a20250%7C0%7C0%7C6375936446812 59073%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik 1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=PMn%2BIW%2BktzG5kehtiMy0EOxBiOVeerLMQ5XSKC AJ720%3D&reserved=0> https://mankato.mnsu.edu/cyberaware Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educa use.edu%2Fcommunity&data=04%7C01%7Ckpcleary%40buffalo.edu%7Ce50f07d899b24abf df7a08d9300aaccb%7C96464a8af8ed40b199e25f6b50a20250%7C0%7C0%7C63759364468125 9073%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1 haWwiLCJXVCI6Mn0%3D%7C1000&sdata=B6kaEO8PDf2AC8QXjyhnYRA2W4amD7KyNCQgJOn%2Fn 4U%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educa use.edu%2Fcommunity&data=04%7C01%7Ckpcleary%40buffalo.edu%7Ce50f07d899b24abf df7a08d9300aaccb%7C96464a8af8ed40b199e25f6b50a20250%7C0%7C0%7C63759364468126 9066%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1 haWwiLCJXVCI6Mn0%3D%7C1000&sdata=CCq%2BP46%2BMnCorLvlAL4jFL8hKriUOaM8iqHqoD5 izA4%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educa use.edu%2Fcommunity&data=04%7C01%7Ckpcleary%40buffalo.edu%7Ce50f07d899b24abf df7a08d9300aaccb%7C96464a8af8ed40b199e25f6b50a20250%7C0%7C0%7C63759364468127 9059%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1 haWwiLCJXVCI6Mn0%3D%7C1000&sdata=9BpO771iNzx2NWp7tOIMs7UYmMB7y4PTQ1Tbtpo%2Bs HQ%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educa use.edu%2Fcommunity&data=04%7C01%7Ckpcleary%40buffalo.edu%7Ce50f07d899b24abf df7a08d9300aaccb%7C96464a8af8ed40b199e25f6b50a20250%7C0%7C0%7C63759364468127 9059%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1 haWwiLCJXVCI6Mn0%3D%7C1000&sdata=9BpO771iNzx2NWp7tOIMs7UYmMB7y4PTQ1Tbtpo%2Bs HQ%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educa use.edu%2Fcommunity&data=04%7C01%7Ckpcleary%40buffalo.edu%7Ce50f07d899b24abf df7a08d9300aaccb%7C96464a8af8ed40b199e25f6b50a20250%7C0%7C0%7C63759364468128 9059%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1 haWwiLCJXVCI6Mn0%3D%7C1000&sdata=7jcfb7mdMzFL9vNeAYCXEXbdXY69ll%2F1h%2FPaCCK Wsas%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educa use.edu%2Fcommunity&data=04%7C01%7Ckpcleary%40buffalo.edu%7Ce50f07d899b24abf df7a08d9300aaccb%7C96464a8af8ed40b199e25f6b50a20250%7C0%7C0%7C63759364468128 9059%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1 haWwiLCJXVCI6Mn0%3D%7C1000&sdata=7jcfb7mdMzFL9vNeAYCXEXbdXY69ll%2F1h%2FPaCCK Wsas%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educa use.edu%2Fcommunity&data=04%7C01%7Ckpcleary%40buffalo.edu%7Ce50f07d899b24abf df7a08d9300aaccb%7C96464a8af8ed40b199e25f6b50a20250%7C0%7C0%7C63759364468129 9048%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1 haWwiLCJXVCI6Mn0%3D%7C1000&sdata=NTxvqzfzWlMJp9Rf5ttGly0vwAgG%2F72NmRPKUK2CI qk%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Attachment:
smime.p7s
Description:
Current thread:
- Re: HECVAT - Vendor Refusal, (continued)
- Re: HECVAT - Vendor Refusal Ruth Ginzberg (Jun 15)
- Re: HECVAT - Vendor Refusal Isaac Straley (Jun 15)
- Re: HECVAT - Vendor Refusal Ruth Ginzberg (Jun 15)
- Re: HECVAT - Vendor Refusal Kimmitt, Jonathan (Jun 15)
- Re: HECVAT - Vendor Refusal Menne, Michael S (Jun 15)
- Re: HECVAT - Vendor Refusal Powell, Andy (Jun 15)
- Re: HECVAT - Vendor Refusal McClenon, Brady (Jun 15)
- Re: HECVAT - Vendor Refusal Kimmitt, Jonathan (Jun 15)
- Re: HECVAT - Vendor Refusal Ruth Ginzberg (Jun 15)
- Re: HECVAT - Vendor Refusal Kimmitt, Jonathan (Jun 15)
- Re: HECVAT - Vendor Refusal King, Ronald A. (Jun 15)
- Re: HECVAT - Vendor Refusal Kevin Cleary (Jun 15)
- Re: HECVAT - Vendor Refusal Feldman, Nell D (Jun 15)
- Re: HECVAT - Vendor Refusal Joey Rego (Jun 16)
- Re: HECVAT - Vendor Refusal Koors, Anne N. (Jun 16)
- Re: HECVAT - Vendor Refusal Kimmitt, Jonathan (Jun 16)
- Re: HECVAT - Vendor Refusal Jones, Cindy (Jun 16)
- Re: HECVAT - Vendor Refusal King, Ronald A. (Jun 16)
- Re: [External]:Re: [SECURITY] HECVAT - Vendor Refusal Ferland, William (Jun 16)
- Re: [External]:Re: [SECURITY] HECVAT - Vendor Refusal Michelle Hobbins (Jun 16)
- Re: [External]:Re: [SECURITY] HECVAT - Vendor Refusal Bill Newman (Jun 16)
- Re: [External]:Re: [SECURITY] HECVAT - Vendor Refusal Kimmitt, Jonathan (Jun 16)