Re: HECVAT help

[Vince Bonura <vbonura () FORDHAM EDU>]

Chris,

I greatly appreciate the quick response!

I asked a different vendor, who also sent an outdated SOC2, to send an
updated version. I was instead provided a "Bridge Letter" from their CISO,
attesting that the controls tested and verified the year prior were still
in place. This was to appease me until they could provide a current report
next month. The problem is that our Wellness Group wanted to finalize this
contract two weeks ago! I just told them that I could not approve the
vendor's risk controls as reported. While I was hoping to avoid this step,
I sent the Wellness Group an IRQ and a DDQ to the vendor.

However, the vendor I referred to in my original post has given evasive
answers to pointed questions AND has provided two outdated reports. This is
a vendor that one of our colleges wanted to be signed two weeks ago too.

P.S. - Contract reviews and our internal process flow are new to me. So, I
am going through a crash course in vendor report reviews.

Vince Bonura
*IT Risk Analyst*

*Fordham University*
*(718) 817-1875*


On Mon, Sep 13, 2021 at 5:12 PM Christian Schreiber <chris () cschreiber llc>
wrote:

> Vince - I would always push for a SOC 2 / Type 2 first. If they have
> mature processes they should be able to readily produce their current
> version. The HECVAT is a good option if they don't have a report from their
> auditor, but I'd also view the lack of a SOC report as a red flag about the
> maturity of their internal controls and security program.
>
> Keep in mind the SOC 2 / Type 2 is attesting to the efficacy of their
> controls over a 12 month period, so it's not unusual to see one that was
> produced around a year earlier. I'd ask the vendor point blank when they'll
> have their updated report available. It could mean they're remediation
> something before finalizing the report, or they may have decided to let the
> whole process lapse. You're within your right as a customer to find out so
> you can make an informed decision about the risk of working with them.
>
> Similarly, if the HECVAT is a year old I'd push for updated verification
> from them that their answers are still relevant.
>
> Hope that helps.
> - Chris
>
>
> ---
> Christian Schreiber, CISM, PMP
>
> Office: 520.497.3614
> Email: chris () cschreiber llc
> Web: www.cschreiber.llc
>
> C Schreiber LLC
> Simplify your university cybersecurity strategy
>
> Sent from a mobile device. Please excuse any typos.
> ------------------------------
> *From:* The EDUCAUSE Security Community Group Listserv <
> SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Vince Bonura <
> vbonura () FORDHAM EDU>
> *Sent:* Monday, September 13, 2021 3:51:59 PM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>
> *Subject:* Re: [SECURITY] HECVAT help
>
>
> George,
>
>
>
> Your post is timely! I just attended a HECVAT Working Group meeting and
> wanted to ask a related question.
>
>
>
> I joined the workgroup with hopes of gaining an understanding of the
> HECVAT and how it should be used. While I know the basic concept, I am just
> now reading my first vendor completed HECVAT that I received last Thursday.
>
>
>
> The question I wanted to ask is: What’s the comparison between a SOC2,
> Type 2 and the HECVAT?
>
>
>
>
> I originally requested a SOC2, Type 2 report from the vendor and received
> one dated 6/30/20. When I asked for a current copy, I was told that they
> completed a HECVAT and would supply that. The HECVAT I received from the
> vendor is dated 6/22/20.
>
>
>
> My assumption is that an outdated HECVAT is no better than an outdated
> SOC2, Type 2.
>
>
>
> Does everyone agree?
>
>
>
> Thank you.
>
>
>
> Vince Bonura
>
> IT Risk Analyst
>
>
>
> Fordham University
>
> (718) 817-1875
>
>
>
> *From: *The EDUCAUSE Security Community Group Listserv <
> SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Viegas, George <
> viegas () CHAPMAN EDU>
> *Date: *Monday, September 13, 2021 at 4:38 PM
> *To: *SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>
> *Subject: *[SECURITY] HECVAT help
>
> Hi Brian,
>
>
>
> I’m looking for resources to help understand how to read the HECVAT,
> specifically how to know what is a fully completed submission v/s an
> incomplete. The EDUCAUSE HECVAT webpage did not have resources to help me
> read and use a HECVAT. Could you please help me find the right resource?
>
>
>
> Thanks,
>
>
>
> -George
>
>
>
> George Viegas, *CIPP-US, CISSP, CISA*
>
> Chief Information Security Officer/Privacy Champion
>
> Chapman University, Orange CA
>
> viegas () chapman edu/ 714-744-7979
>
> Secure your Chapman Account today @ 2fa.chapman.edu !
>
>
>
>
>
>
>
> **********
> Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email reply.
> Additional participation and subscription information can be found at
> https://www.educause.edu/community
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__nam11.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Furldefense.proofpoint.com-252Fv2-252Furl-253Fu-253Dhttps-2D3A-5F-5Fwww.educause.edu-5Fcommunity-2526d-253DDwMFAg-2526c-253DaqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM-2526r-253DNk8cCINtlhG31-2DFfb7ODxRPQfUwqyHQCQ2enNUcj0Vc-2526m-253DW-5FAzyw64JNH4aaeAC7Tmd2Ga8nHTEyfLtiAlQHgWYLI-2526s-253D6WXhTghqS-5FVlwkAhMTD3CCgBCeaR4FSWo-2DKqScNBeOA-2526e-253D-26data-3D04-257C01-257Cchris-2540CSCHREIBER.LLC-257C2628de80117e4fdb418208d976f857f4-257C18c077a173f64e91ac2977b69ff7c44a-257C0-257C0-257C637671631300490106-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C1000-26sdata-3DH00QTLBu5aJE-252FDqFp9y0OlalzX0loERI38MT1P2gAk4-253D-26reserved-3D0&d=DwMF-g&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=Nk8cCINtlhG31-Ffb7ODxRPQfUwqyHQCQ2enNUcj0Vc&m=v_ejzAaiGZw_jg4GJ60VR-fXd9JRHiEkgkQsdIthz8U&s=4Wht3xP2nfo6c4gaD52vI3b69GKVu32NEiPclQaM-YI&e=>
>
> **********
> Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email reply.
> Additional participation and subscription information can be found at
> https://www.educause.edu/community
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__nam11.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fwww.educause.edu-252Fcommunity-26data-3D04-257C01-257Cchris-2540CSCHREIBER.LLC-257C2628de80117e4fdb418208d976f857f4-257C18c077a173f64e91ac2977b69ff7c44a-257C0-257C0-257C637671631300500065-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C1000-26sdata-3DaLwXakYgqM7QnjyRQIttd9iy9sSVIoXDzET30zo7fo0-253D-26reserved-3D0&d=DwMF-g&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=Nk8cCINtlhG31-Ffb7ODxRPQfUwqyHQCQ2enNUcj0Vc&m=v_ejzAaiGZw_jg4GJ60VR-fXd9JRHiEkgkQsdIthz8U&s=zVE298tdhkbs3MIGR1VjlAS3eExKdWu7TVgnLbDqSy4&e=>
>
> **********
> Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email reply.
> Additional participation and subscription information can be found at
> https://www.educause.edu/community
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.educause.edu_community&d=DwMF-g&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=Nk8cCINtlhG31-Ffb7ODxRPQfUwqyHQCQ2enNUcj0Vc&m=v_ejzAaiGZw_jg4GJ60VR-fXd9JRHiEkgkQsdIthz8U&s=08lmbbTksPGhQ4TCK5XJDjBjK-5ltDbO6pcUuo5i_44&e=>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community