Educause Security Discussion mailing list archives
Re: HECVAT - Vendor Refusal
From: "Jones, Cindy" <cmjonz () UAB EDU>
Date: Wed, 16 Jun 2021 16:40:12 +0000
I would also greatly appreciate the data rider agreement. We have an IT Addendum that we use but would like to share this with our University Counsel Office. Thank you! Cindy M Jones, CISSP, GLEG | Director - Risk Management & IT Compliance Enterprise Information Security UAB | The University of Alabama at Birmingham RUST 138 | 815 18th Street South | Birmingham, AL 35233 P: 205.975.8261 | cmjonz () uab edu From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Joey Rego Sent: Wednesday, June 16, 2021 11:35 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] HECVAT - Vendor Refusal Hi Jonathan, I'd also be interested in the standard data rider agreement you mentioned. Thanks [cid:image001.jpg@01D762A4.5DF058B0] Joey Rego Assistant Director of Information Security Information Technology Lynn University 3601 North Military Trail Boca Raton, FL 33431 T: +1 561-237-7982 jrego () lynn edu<mailto:jrego () lynn edu> +1 561-237-7000 | lynn.edu<http://www.lynn.edu/> | give.lynn.edu Help Keep Our Students and Employees Data Secure! Ask Yourself the following when you need to store files or information? 1. What data or files am I collecting in this process and what is the business justification for asking, collecting and storing it? 2. Is the data regulated at the state level, or federal level? 3. Where am I storing the data and how am I securing it so that only the persons who I want to have access has access? 4. Once I've stored the data or files, what are some reasons that I would need to review the data? 5. When will I purge or delete the data or file? 6. How or what process will I write down and implement to destroy the data or file once it is no longer needed? From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Feldman, Nell D Sent: Tuesday, June 15, 2021 4:21 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] HECVAT - Vendor Refusal Hi Jonathan, I'd be interested in seeing your standard data rider agreement. Even with a HECVAT assessment, we generally ask for some data protection language, working with General Counsel when they do the standard contract review. I have had a lot of struggles over the years and particularly recently with vendors refusing to complete the HECVAT. It raises a red flag for sure. I have found that these vendors are either new to the market, or new to higher ed and haven't matured their security programs yet. I even had a case recently where a vendor provided the HECVAT saved as a pdf where they had done their own scoring and refused to provide the original spreadsheet so I could use the tool as it was intended-to complete assessment myself. Thanks, Nell Nell Feldman, CISSP (pronouns: she, her, hers) IT Security Manager Montgomery College 240-567-3120 Report suspected phishing emails using the Phishing Reporter Button in Outlook, Office 365, and the Outlook mobile app. From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Kimmitt, Jonathan Sent: Tuesday, June 15, 2021 10:15 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] HECVAT - Vendor Refusal Ah.... Okay.... So, what I do, in lieu of the HECVAT (and I can't choose a different vendor), is a standard data rider agreement that we ask them to sign along with the contract that covers most of the critical pieces.... I'm happy to share if interested..... -Jonathan ~ Jonathan Kimmitt CISSP, FIP, CDPSE, CIPP/E, CIPM, CIPT, OTCP, GLEG, GPEN, GSNA, PCIP, CEH Chief Information Security Officer Information Technology The University of Tulsa 918.631.2743 From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Menne, Michael S Sent: Tuesday, June 15, 2021 9:09 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] HECVAT - Vendor Refusal Johnathon, They disagree with the intent of the HECVAT vs lite. They consider the HECVAT to be only for he most restricted data (HIPAA, PCI, SSN, etc). They consider the HEVAT lite to be good enough for "sensitive" data. This is a vendor that a department on campus want to move an existing on-premise solution to a cloud version. I like the scoring feature of the HECVAT. I haven't used the HECVAT lite a lot so far. The HECVAT has a good set of questions that allow me to get assurances of how a vendor handles their data security. From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Kimmitt, Jonathan Sent: Tuesday, June 15, 2021 8:45 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] HECVAT - Vendor Refusal Did they give you a reason why they won't fill it out? I've had several that have refused... some we move to the next vendor, some we have signed NDA's to get the information..... -Jonathan From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Ruth Ginzberg Sent: Tuesday, June 15, 2021 8:43 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] HECVAT - Vendor Refusal Agree with Isaac ... AND (perhaps because of the success of the HECVAT to date...) one of the things I'm finding I need to ask for is a RECENT version of the HECVAT ... been getting some moldy oldies from some vendors that really need to be updated to the current version... Ruth Ginzberg 608-890-3961 From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Isaac Straley Sent: Tuesday, June 15, 2021 8:40 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] HECVAT - Vendor Refusal *External Email: Use caution responding, opening attachments, or clicking on links.* Obvious but just so it's said: It is not up to the vendor what kind of assurance your program needs. It is entirely their choice if they want to do what you ask for or not. Depending on the risk and our internal capacity to analyze, I've accepted other formats of assurance. But I take a hard look at suppliers who resist providing information, especially in a reusable vehicle like this. The answer to "why won't they do this" is an important factor. The HECVAT isn't perfect but we've collectively really done a lot of good work to reduce the overhead on suppliers and it's a good faith effort to ask for it, in my opinion. Isaac -- Isaac Straley Chief Information Security Officer University of Toronto From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> on behalf of "Menne, Michael S" <000002306ce3cd04-dmarc-request () LISTSERV EDUCAUSE EDU<mailto:000002306ce3cd04-dmarc-request () LISTSERV EDUCAUSE EDU>> Reply-To: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> Date: Tuesday, June 15, 2021 at 6:28 AM To: "SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>" <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> Subject: [SECURITY] HECVAT - Vendor Refusal EXTERNAL EMAIL: For those that have used the HECVAT and HECVATlite, what has your response been to a vendor who refuses to fill out the full HECVAT and claims that HECVAT is only required for "sensitive data" (SSN, CC#, etc.)? We have used the HECVAT lite only for situations where the data is completely public. In all other situations, we've used the HECVAT. Most vendors take a few attempts to get the answers we are looking for, but I've only had one other that has said they won't fill it out at all. Thank you, Michael Menne, CISSP Chief Information Security Officer IT Solutions Information Security Minnesota State University, Mankato https://mankato.mnsu.edu/cyberaware<https://urldefense.proofpoint.com/v2/url?u=https-3A__nam04.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fmankato.mnsu.edu-252Fcyberaware-26data-3D04-257C01-257Cjonathan-2Dkimmitt-2540UTULSA.EDU-257C0345e34cc57742c2cc2108d930072de9-257Cd4ff013c62b74167924f5bd93e8202d3-257C0-257C1-257C637593629663471869-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C2000-26sdata-3DM8RK4kVjAfPevWKUqNpIvILLtweWJWw7Ty4WR2Nhf8A-253D-26reserved-3D0&d=DwMFAg&c=tSGu_Pc6mPnB6zIYTZr3Sw&r=PTnT2JXctjp4MTPziGqcrg&m=_O-MZgpgBag83RvtbD_02o58wmj1QHrmZ-gOWzJsYtg&s=Ja1zbV78hUf-MSjnP3LXooAH_8Hzgm3WuN8UtqIZE2I&e=> [signature_1581601845] Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://urldefense.proofpoint.com/v2/url?u=https-3A__nam04.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fwww.educause.edu-252Fcommunity-26data-3D04-257C01-257Cjonathan-2Dkimmitt-2540UTULSA.EDU-257C0345e34cc57742c2cc2108d930072de9-257Cd4ff013c62b74167924f5bd93e8202d3-257C0-257C1-257C637593629663471869-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C2000-26sdata-3DQxAFmYzAUzXxAQ7onLJmo0g52xKnOeVj6hvVR5hYJAQ-253D-26reserved-3D0&d=DwMFAg&c=tSGu_Pc6mPnB6zIYTZr3Sw&r=PTnT2JXctjp4MTPziGqcrg&m=_O-MZgpgBag83RvtbD_02o58wmj1QHrmZ-gOWzJsYtg&s=o0aMmGQYFTXaLx98J63Z1Ad0ctwjmH-f6GvitTyIrYU&e=> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://urldefense.proofpoint.com/v2/url?u=https-3A__nam04.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fwww.educause.edu-252Fcommunity-26data-3D04-257C01-257Cjonathan-2Dkimmitt-2540UTULSA.EDU-257C0345e34cc57742c2cc2108d930072de9-257Cd4ff013c62b74167924f5bd93e8202d3-257C0-257C1-257C637593629663481829-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C2000-26sdata-3D3mnN56BAXg-252FI9fcBCkxbI-252BAAATzpTDWyQQmI07kOktQ-253D-26reserved-3D0&d=DwMFAg&c=tSGu_Pc6mPnB6zIYTZr3Sw&r=PTnT2JXctjp4MTPziGqcrg&m=_O-MZgpgBag83RvtbD_02o58wmj1QHrmZ-gOWzJsYtg&s=Heo-W8msd4nBpyzgJEMaNjCZWhrgzoByvLCistYoYxQ&e=> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://urldefense.proofpoint.com/v2/url?u=https-3A__nam04.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fwww.educause.edu-252Fcommunity-26data-3D04-257C01-257Cjonathan-2Dkimmitt-2540UTULSA.EDU-257C0345e34cc57742c2cc2108d930072de9-257Cd4ff013c62b74167924f5bd93e8202d3-257C0-257C1-257C637593629663491785-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C2000-26sdata-3DZaW-252BipQ3TtO5xFqO3FdEwbdzOduSRnpSJTLrgjIdw30-253D-26reserved-3D0&d=DwMFAg&c=tSGu_Pc6mPnB6zIYTZr3Sw&r=PTnT2JXctjp4MTPziGqcrg&m=_O-MZgpgBag83RvtbD_02o58wmj1QHrmZ-gOWzJsYtg&s=lxGIpDS6icmzJ8KWH3rw326PTwlmtgPa7rONk4qvKb4&e=> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://urldefense.proofpoint.com/v2/url?u=https-3A__nam04.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fwww.educause.edu-252Fcommunity-26data-3D04-257C01-257Cjonathan-2Dkimmitt-2540UTULSA.EDU-257C0345e34cc57742c2cc2108d930072de9-257Cd4ff013c62b74167924f5bd93e8202d3-257C0-257C1-257C637593629663491785-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C2000-26sdata-3DZaW-252BipQ3TtO5xFqO3FdEwbdzOduSRnpSJTLrgjIdw30-253D-26reserved-3D0&d=DwMFAg&c=tSGu_Pc6mPnB6zIYTZr3Sw&r=PTnT2JXctjp4MTPziGqcrg&m=_O-MZgpgBag83RvtbD_02o58wmj1QHrmZ-gOWzJsYtg&s=lxGIpDS6icmzJ8KWH3rw326PTwlmtgPa7rONk4qvKb4&e=> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://urldefense.proofpoint.com/v2/url?u=https-3A__nam04.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fwww.educause.edu-252Fcommunity-26data-3D04-257C01-257Cjonathan-2Dkimmitt-2540UTULSA.EDU-257C0345e34cc57742c2cc2108d930072de9-257Cd4ff013c62b74167924f5bd93e8202d3-257C0-257C1-257C637593629663501739-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C2000-26sdata-3DRLwIALBIUC7njD8nJk5SSxBsuHvfpLq6k-252BZ8ScmbbxE-253D-26reserved-3D0&d=DwMFAg&c=tSGu_Pc6mPnB6zIYTZr3Sw&r=PTnT2JXctjp4MTPziGqcrg&m=_O-MZgpgBag83RvtbD_02o58wmj1QHrmZ-gOWzJsYtg&s=CaD4tGaoQt9trwV961Zl5PkrETYfWq1QcZVHgWWQ0sU&e=> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.educause.edu_community&d=DwMFAg&c=tSGu_Pc6mPnB6zIYTZr3Sw&r=PTnT2JXctjp4MTPziGqcrg&m=_O-MZgpgBag83RvtbD_02o58wmj1QHrmZ-gOWzJsYtg&s=xE2UCAbyrzy0xkeixAnp9dbUpp1DKsJMs60bF3q0-vk&e=> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.educause.edu_community&d=DwMFAg&c=tSGu_Pc6mPnB6zIYTZr3Sw&r=PTnT2JXctjp4MTPziGqcrg&m=_O-MZgpgBag83RvtbD_02o58wmj1QHrmZ-gOWzJsYtg&s=xE2UCAbyrzy0xkeixAnp9dbUpp1DKsJMs60bF3q0-vk&e=> This email is intended for the designated recipient only, and may be confidential, non-public, proprietary, protected by the attorney/client or other privilege. Unauthorized reading, distribution, copying or other use of this communication is prohibited and may be unlawful. Receipt by anyone other than the intended recipients should not be deemed a waiver of any privilege or protection. If you are not the intended recipient or if you believe that you have received this email in error, please notify the sender immediately and delete all copies from your computer system without reading, saving, or using it in any manner. Although it has been checked for viruses and other malicious software, malware, we do not warrant, represent or guarantee in any way that this communication is free of malware or potentially damaging defects. All liability for any actual or alleged loss, damage, or injury arising out of or resulting in any way from the receipt, opening or use of this email is expressly disclaimed. ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- Re: HECVAT - Vendor Refusal, (continued)
- Re: HECVAT - Vendor Refusal Powell, Andy (Jun 15)
- Re: HECVAT - Vendor Refusal McClenon, Brady (Jun 15)
- Re: HECVAT - Vendor Refusal Kimmitt, Jonathan (Jun 15)
- Re: HECVAT - Vendor Refusal Kimmitt, Jonathan (Jun 15)
- Re: HECVAT - Vendor Refusal King, Ronald A. (Jun 15)
- Re: HECVAT - Vendor Refusal Kevin Cleary (Jun 15)
- Re: HECVAT - Vendor Refusal Feldman, Nell D (Jun 15)
- Re: HECVAT - Vendor Refusal Joey Rego (Jun 16)
- Re: HECVAT - Vendor Refusal Koors, Anne N. (Jun 16)
- Re: HECVAT - Vendor Refusal Kimmitt, Jonathan (Jun 16)
- Re: HECVAT - Vendor Refusal Jones, Cindy (Jun 16)
- Re: HECVAT - Vendor Refusal King, Ronald A. (Jun 16)
- Re: [External]:Re: [SECURITY] HECVAT - Vendor Refusal Ferland, William (Jun 16)
- Re: [External]:Re: [SECURITY] HECVAT - Vendor Refusal Michelle Hobbins (Jun 16)
- Re: [External]:Re: [SECURITY] HECVAT - Vendor Refusal Bill Newman (Jun 16)
- Re: [External]:Re: [SECURITY] HECVAT - Vendor Refusal Kimmitt, Jonathan (Jun 16)
- Re: [External]:Re: [SECURITY] HECVAT - Vendor Refusal Kimmitt, Jonathan (Jun 16)
- Re: [External]:Re: [SECURITY] HECVAT - Vendor Refusal Kimmitt, Jonathan (Jun 16)
- Re: HECVAT - Vendor Refusal Snider, Jodie (Jun 16)
- Re: HECVAT - Vendor Refusal Leslie Gonzalez (Jun 16)
- Re: HECVAT - Vendor Refusal Kimmitt, Jonathan (Jun 16)