Re: HECVAT - Vendor Refusal

["Snider, Jodie" <jsnider () MCCNEB EDU>]

I would also appreciate a copy of the data rider.

Thank you
Director IT Risk and Compliance
Metropolitan Community College
Omaha NE

Jodie L Snider

On Jun 16, 2021, at 11:50 AM, Jones, Cindy <cmjonz () uab edu> wrote:



CAUTION: This email originated from outside Metropolitan Community College. Do not click links or open attachments 
unless you recognize the sender and know the content is safe.
Forward suspicious items to IT Security.
I would also greatly appreciate the data rider agreement.  We have an IT Addendum that we use but would like to share 
this with our University Counsel Office.

Thank you!

Cindy M Jones, CISSP, GLEG | Director – Risk Management & IT Compliance
Enterprise Information Security
UAB | The University of Alabama at Birmingham
RUST 138 | 815 18th Street South | Birmingham, AL 35233
P: 205.975.8261 | cmjonz () uab edu

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Joey Rego
Sent: Wednesday, June 16, 2021 11:35 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] HECVAT - Vendor Refusal

Hi Jonathan,

I’d also be interested in the standard data rider agreement you mentioned.

Thanks

<image001.jpg>

Joey Rego
Assistant Director of Information Security
Information Technology
Lynn University
3601 North Military Trail
Boca Raton, FL 33431
T: +1 561-237-7982
jrego () lynn edu<mailto:jrego () lynn edu>
+1 561-237-7000 | 
lynn.edu<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.lynn.edu_&d=DwMFAg&c=vMfcx96HwL1EWlh7C08MXw&r=zsOD2xg2sMXqtDDXSStdFFJdBFQezicszFeD3jvn-EI&m=PKlcLL7enlKPynJ0qAiB9HRdIIiD8du_SiClcKY-oUw&s=BhErepyUm9wj6bQhEw_joWSL-GzF3PDdPsYk5rSfshA&e=>
 | give.lynn.edu

Help Keep Our Students and Employees Data Secure!
Ask Yourself the following when you need to store files or information?

  1.  What data or files am I collecting in this process and what is the business justification for asking, collecting 
and storing it?
  2.  Is the data regulated at the state level, or federal level?
  3.  Where am I storing the data and how am I securing it so that only the persons who I want to have access has 
access?
  4.  Once I’ve stored the data or files, what are some reasons that I would need to review the data?
  5.  When will I purge or delete the data or file?
  6.  How or what process will I write down and implement to destroy the data or file once it is no longer needed?

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Feldman, Nell D
Sent: Tuesday, June 15, 2021 4:21 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] HECVAT - Vendor Refusal

Hi Jonathan,

I’d be interested in seeing your standard data rider agreement. Even with a HECVAT assessment, we generally ask for 
some data protection language, working with General Counsel when they do the standard contract review.

I have had a lot of struggles over the years and particularly recently with vendors refusing to complete the HECVAT. It 
raises a red flag for sure. I have found that these vendors are either new to the market, or new to higher ed and 
haven’t matured their security programs yet.

I even had a case recently where a vendor provided the HECVAT saved as a pdf where they had done their own scoring and 
refused to provide the original spreadsheet so I could use the tool as it was intended—to complete assessment myself.

Thanks,
Nell


Nell Feldman, CISSP (pronouns: she, her, hers)
IT Security Manager
Montgomery College
240-567-3120

Report suspected phishing emails using the Phishing Reporter Button in Outlook, Office 365, and the Outlook mobile app.



From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Kimmitt, Jonathan
Sent: Tuesday, June 15, 2021 10:15 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] HECVAT - Vendor Refusal

Ah….   Okay….

So, what I do, in lieu of the HECVAT (and I can’t choose a different vendor), is a standard data rider agreement that 
we ask them to sign along with the contract that covers most of the critical pieces….

I’m happy to share if interested…..

-Jonathan





~
Jonathan Kimmitt
CISSP, FIP, CDPSE, CIPP/E, CIPM, CIPT,
OTCP, GLEG, GPEN, GSNA, PCIP, CEH
Chief Information Security Officer
Information Technology
The University of Tulsa
918.631.2743




From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Menne, Michael S
Sent: Tuesday, June 15, 2021 9:09 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] HECVAT - Vendor Refusal

Johnathon,
They disagree with the intent of the HECVAT vs lite.  They consider the HECVAT to be only for he most restricted data 
(HIPAA, PCI, SSN, etc). They consider the HEVAT lite to be good enough for “sensitive” data.  This is a vendor that a 
department on campus want to move an existing on-premise solution to a cloud version.  I like the scoring feature of 
the HECVAT.  I haven’t used the HECVAT lite a lot so far. The HECVAT has a good set of questions that allow me to get 
assurances of how a vendor handles their data security.




From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Kimmitt, Jonathan
Sent: Tuesday, June 15, 2021 8:45 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] HECVAT - Vendor Refusal

Did they give you a reason why they won’t fill it out?

I’ve had several that have refused… some we move to the next vendor, some we have signed NDA’s to get the information…..

-Jonathan



From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Ruth Ginzberg
Sent: Tuesday, June 15, 2021 8:43 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] HECVAT - Vendor Refusal

Agree with Isaac … AND (perhaps because of the success of the HECVAT to date…) one of the things I’m finding I need to 
ask for is a RECENT version of the HECVAT … been getting some moldy oldies from some vendors that really need to be 
updated to the current version…

Ruth Ginzberg
608-890-3961

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Isaac Straley
Sent: Tuesday, June 15, 2021 8:40 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] HECVAT - Vendor Refusal


*External Email: Use caution responding, opening attachments, or clicking on links.*
Obvious but just so it’s said: It is not up to the vendor what kind of assurance your program needs. It is entirely 
their choice if they want to do what you ask for or not.

Depending on the risk and our internal capacity to analyze, I’ve accepted other formats of assurance. But I take a hard 
look at suppliers who resist providing information, especially in a reusable vehicle like this. The answer to “why 
won’t they do this” is an important factor.

The HECVAT isn’t perfect but we’ve collectively really done a lot of good work to reduce the overhead on suppliers and 
it’s a good faith effort to ask for it, in my opinion.

Isaac


--

Isaac Straley
Chief Information Security Officer
University of Toronto



From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> on behalf of "Menne, Michael S" <000002306ce3cd04-dmarc-request () LISTSERV EDUCAUSE 
EDU<mailto:000002306ce3cd04-dmarc-request () LISTSERV EDUCAUSE EDU>>
Reply-To: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>>
Date: Tuesday, June 15, 2021 at 6:28 AM
To: "SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>" <SECURITY () LISTSERV EDUCAUSE 
EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
Subject: [SECURITY] HECVAT - Vendor Refusal

EXTERNAL EMAIL:
For those that have used the HECVAT and HECVATlite, what has your response been to a vendor who refuses to fill out the 
full HECVAT and claims that HECVAT is only required for “sensitive data” (SSN, CC#, etc.)?

We have used the HECVAT lite only for situations where the data is completely public.  In all other situations, we’ve 
used the HECVAT. Most vendors take a few attempts to get the answers we are looking for, but I’ve only had one other 
that has said they won’t fill it out at all.

Thank you,

Michael Menne, CISSP
Chief Information Security Officer
IT Solutions Information Security
Minnesota State University, Mankato
https://mankato.mnsu.edu/cyberaware<https://urldefense.proofpoint.com/v2/url?u=https-3A__nam04.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fmankato.mnsu.edu-252Fcyberaware-26data-3D04-257C01-257Cjonathan-2Dkimmitt-2540UTULSA.EDU-257C0345e34cc57742c2cc2108d930072de9-257Cd4ff013c62b74167924f5bd93e8202d3-257C0-257C1-257C637593629663471869-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C2000-26sdata-3DM8RK4kVjAfPevWKUqNpIvILLtweWJWw7Ty4WR2Nhf8A-253D-26reserved-3D0&d=DwMFAg&c=tSGu_Pc6mPnB6zIYTZr3Sw&r=PTnT2JXctjp4MTPziGqcrg&m=_O-MZgpgBag83RvtbD_02o58wmj1QHrmZ-gOWzJsYtg&s=Ja1zbV78hUf-MSjnP3LXooAH_8Hzgm3WuN8UtqIZE2I&e=>

<image002.jpg>

Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended 
recipient(s) and may contain confidential and privileged information.  Any unauthorized review, use, disclosure or 
distribution is prohibited.  If you are not the intended recipient, please contact the sender by reply e-mail and 
destroy all copies of the original message.



**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://urldefense.proofpoint.com/v2/url?u=https-3A__nam04.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fwww.educause.edu-252Fcommunity-26data-3D04-257C01-257Cjonathan-2Dkimmitt-2540UTULSA.EDU-257C0345e34cc57742c2cc2108d930072de9-257Cd4ff013c62b74167924f5bd93e8202d3-257C0-257C1-257C637593629663471869-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C2000-26sdata-3DQxAFmYzAUzXxAQ7onLJmo0g52xKnOeVj6hvVR5hYJAQ-253D-26reserved-3D0&d=DwMFAg&c=tSGu_Pc6mPnB6zIYTZr3Sw&r=PTnT2JXctjp4MTPziGqcrg&m=_O-MZgpgBag83RvtbD_02o58wmj1QHrmZ-gOWzJsYtg&s=o0aMmGQYFTXaLx98J63Z1Ad0ctwjmH-f6GvitTyIrYU&e=>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://urldefense.proofpoint.com/v2/url?u=https-3A__nam04.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fwww.educause.edu-252Fcommunity-26data-3D04-257C01-257Cjonathan-2Dkimmitt-2540UTULSA.EDU-257C0345e34cc57742c2cc2108d930072de9-257Cd4ff013c62b74167924f5bd93e8202d3-257C0-257C1-257C637593629663481829-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C2000-26sdata-3D3mnN56BAXg-252FI9fcBCkxbI-252BAAATzpTDWyQQmI07kOktQ-253D-26reserved-3D0&d=DwMFAg&c=tSGu_Pc6mPnB6zIYTZr3Sw&r=PTnT2JXctjp4MTPziGqcrg&m=_O-MZgpgBag83RvtbD_02o58wmj1QHrmZ-gOWzJsYtg&s=Heo-W8msd4nBpyzgJEMaNjCZWhrgzoByvLCistYoYxQ&e=>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://urldefense.proofpoint.com/v2/url?u=https-3A__nam04.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fwww.educause.edu-252Fcommunity-26data-3D04-257C01-257Cjonathan-2Dkimmitt-2540UTULSA.EDU-257C0345e34cc57742c2cc2108d930072de9-257Cd4ff013c62b74167924f5bd93e8202d3-257C0-257C1-257C637593629663491785-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C2000-26sdata-3DZaW-252BipQ3TtO5xFqO3FdEwbdzOduSRnpSJTLrgjIdw30-253D-26reserved-3D0&d=DwMFAg&c=tSGu_Pc6mPnB6zIYTZr3Sw&r=PTnT2JXctjp4MTPziGqcrg&m=_O-MZgpgBag83RvtbD_02o58wmj1QHrmZ-gOWzJsYtg&s=lxGIpDS6icmzJ8KWH3rw326PTwlmtgPa7rONk4qvKb4&e=>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://urldefense.proofpoint.com/v2/url?u=https-3A__nam04.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fwww.educause.edu-252Fcommunity-26data-3D04-257C01-257Cjonathan-2Dkimmitt-2540UTULSA.EDU-257C0345e34cc57742c2cc2108d930072de9-257Cd4ff013c62b74167924f5bd93e8202d3-257C0-257C1-257C637593629663491785-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C2000-26sdata-3DZaW-252BipQ3TtO5xFqO3FdEwbdzOduSRnpSJTLrgjIdw30-253D-26reserved-3D0&d=DwMFAg&c=tSGu_Pc6mPnB6zIYTZr3Sw&r=PTnT2JXctjp4MTPziGqcrg&m=_O-MZgpgBag83RvtbD_02o58wmj1QHrmZ-gOWzJsYtg&s=lxGIpDS6icmzJ8KWH3rw326PTwlmtgPa7rONk4qvKb4&e=>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://urldefense.proofpoint.com/v2/url?u=https-3A__nam04.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fwww.educause.edu-252Fcommunity-26data-3D04-257C01-257Cjonathan-2Dkimmitt-2540UTULSA.EDU-257C0345e34cc57742c2cc2108d930072de9-257Cd4ff013c62b74167924f5bd93e8202d3-257C0-257C1-257C637593629663501739-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C2000-26sdata-3DRLwIALBIUC7njD8nJk5SSxBsuHvfpLq6k-252BZ8ScmbbxE-253D-26reserved-3D0&d=DwMFAg&c=tSGu_Pc6mPnB6zIYTZr3Sw&r=PTnT2JXctjp4MTPziGqcrg&m=_O-MZgpgBag83RvtbD_02o58wmj1QHrmZ-gOWzJsYtg&s=CaD4tGaoQt9trwV961Zl5PkrETYfWq1QcZVHgWWQ0sU&e=>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.educause.edu_community&d=DwMFAg&c=tSGu_Pc6mPnB6zIYTZr3Sw&r=PTnT2JXctjp4MTPziGqcrg&m=_O-MZgpgBag83RvtbD_02o58wmj1QHrmZ-gOWzJsYtg&s=xE2UCAbyrzy0xkeixAnp9dbUpp1DKsJMs60bF3q0-vk&e=>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.educause.edu_community&d=DwMFAg&c=tSGu_Pc6mPnB6zIYTZr3Sw&r=PTnT2JXctjp4MTPziGqcrg&m=_O-MZgpgBag83RvtbD_02o58wmj1QHrmZ-gOWzJsYtg&s=xE2UCAbyrzy0xkeixAnp9dbUpp1DKsJMs60bF3q0-vk&e=>

This email is intended for the designated recipient only, and may be confidential, non-public, proprietary, protected 
by the attorney/client or other privilege. Unauthorized reading, distribution, copying or other use of this 
communication is prohibited and may be unlawful. Receipt by anyone other than the intended recipients should not be 
deemed a waiver of any privilege or protection. If you are not the intended recipient or if you believe that you have 
received this email in error, please notify the sender immediately and delete all copies from your computer system 
without reading, saving, or using it in any manner. Although it has been checked for viruses and other malicious 
software, malware, we do not warrant, represent or guarantee in any way that this communication is free of malware or 
potentially damaging defects. All liability for any actual or alleged loss, damage, or injury arising out of or 
resulting in any way from the receipt, opening or use of this email is expressly disclaimed.

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.educause.edu_community&d=DwMFAg&c=vMfcx96HwL1EWlh7C08MXw&r=zsOD2xg2sMXqtDDXSStdFFJdBFQezicszFeD3jvn-EI&m=PKlcLL7enlKPynJ0qAiB9HRdIIiD8du_SiClcKY-oUw&s=aF72B-OX5WNuy0k-DVKZVNxRxLvLT3oY5PFgWT3w9yY&e=>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.educause.edu_community&d=DwMFAg&c=vMfcx96HwL1EWlh7C08MXw&r=zsOD2xg2sMXqtDDXSStdFFJdBFQezicszFeD3jvn-EI&m=PKlcLL7enlKPynJ0qAiB9HRdIIiD8du_SiClcKY-oUw&s=aF72B-OX5WNuy0k-DVKZVNxRxLvLT3oY5PFgWT3w9yY&e=>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community