Educause Security Discussion mailing list archives
Re: HECVAT - Vendor Refusal
From: Sue McGlashan <sue.mcglashan () UTORONTO CA>
Date: Fri, 16 Jul 2021 14:24:17 +0000
Jeff, I have in the past accepted ISO and SOC2 as a replacement, for “world class” vendors. Since you do not have full coverage, would the company answer extra questions? * And that additional individualized assessment is a killer on productivity. Sue McGlashan Information Risk Manager, IS, ITS 416 946 3260 From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Jeff Choo <jeff_choo () WILLIAMJAMES EDU> Reply-To: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> Date: Friday, July 16, 2021 at 9:48 AM To: "SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] HECVAT - Vendor Refusal EXTERNAL EMAIL: Hi All, Just want to ask a follow-up question – I am trying to have a vendor filling out the HECVAT. The vendor said they are ISO27001 certified and have passed the audit for SOC2. They said the certification is confidential and they will allow me to view the documents, and I can keep a copy of the SOC3 report, but they won’t fill out the HECVAT. The vendor in question is a financial aid software vendor and we are talking about financial aid production data. I am wondering if anyone has any advice for this situation? Personally, I feel ISO27001 and SOC2 should sufficiently cover all grounds including NIST800-171, but based on the criteria mapping it is not covering the full 100%. Should I push for HECVAT? Thanks Jeff Choo Director of Information Technology, Information Security Officer William James College 1 Wells Avenue, Newton MA, 02459 E: Jeff_Choo () williamjames edu<mailto:Jeff_Choo () williamjames edu> O: (857) 299-7243 W: http://support.williamjames.edu<https://can01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsupport.williamjames.edu%2F&data=04%7C01%7Csue.mcglashan%40UTORONTO.CA%7C93df045654be418a9af408d9486049d2%7C78aac2262f034b4d9037b46d56c55210%7C0%7C0%7C637620401222454366%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=3tANtGA68w0qDvfU1RLlQvasMNPA3gF1iyk3tYaCOPY%3D&reserved=0> From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Robert Smith Sent: Wednesday, June 16, 2021 7:42 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] HECVAT - Vendor Refusal [External Email] Do not click links or attachments unless you recognize the sender and know the content is safe. Hello, Good afternoon. Seeing the interest in Jonathan’s work, I thought I would share ours as well. U Tulsa and Univ of Cal address similar points, but have slightly different ways of getting there. Here is our “Data Security Appendix”: https://www.ucop.edu/procurement-services/policies-forms/legal-forms-current/appendix-ds-8-12-2019.pdf<https://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ucop.edu%2Fprocurement-services%2Fpolicies-forms%2Flegal-forms-current%2Fappendix-ds-8-12-2019.pdf&data=04%7C01%7Csue.mcglashan%40UTORONTO.CA%7C93df045654be418a9af408d9486049d2%7C78aac2262f034b4d9037b46d56c55210%7C0%7C0%7C637620401222454366%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=RbI6jUDdA1YOE2VMwwTP8XbrqfQ5DnQ2swAzuNw20UE%3D&reserved=0> Here is our page for our internal Units who engage suppliers: https://security.ucop.edu/resources/contracts.html<https://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsecurity.ucop.edu%2Fresources%2Fcontracts.html&data=04%7C01%7Csue.mcglashan%40UTORONTO.CA%7C93df045654be418a9af408d9486049d2%7C78aac2262f034b4d9037b46d56c55210%7C0%7C0%7C637620401222464364%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=2SxZhiiez%2FZccsrcJgTmXqULQ77PwfH3NzMxHQ%2Bm7Bk%3D&reserved=0> We have some great suppliers to really understand the domain, and like many stated we have others who just do not seem to get it. We are making progress in getting business partners to just drop the suppliers who show up with silly responses. As we (the community) get bolder on this, then suppliers will get the message as the sales fall off. Enjoy a jocund day, Robert Smith, CISSP, PMP Systemwide IT Policy Director/Security Director Information Technology Services University of California Office of the President (510) 587-6244 (o) (510) 541-8103 (m) robert.smith () ucop edu<mailto:robert.smith () ucop edu> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Csue.mcglashan%40UTORONTO.CA%7C93df045654be418a9af408d9486049d2%7C78aac2262f034b4d9037b46d56c55210%7C0%7C0%7C637620401222464364%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=5EABVdpB%2BRCkpmNlFuxpwoKRQnns4W2y%2BAaqy5sgnOo%3D&reserved=0> This message may contain confidential information intended only for the individual named. If you received this message by mistake, please let the sender know by e-mail reply and delete it from your system. If you are not the intended recipient you are hereby notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Csue.mcglashan%40UTORONTO.CA%7C93df045654be418a9af408d9486049d2%7C78aac2262f034b4d9037b46d56c55210%7C0%7C0%7C637620401222474355%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=clFFh0LfgstMmx7FaG56GqNBd5mrO54wgoqi9C6plFw%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- Re: HECVAT - Vendor Refusal Jeff Choo (Jul 16)
- Re: HECVAT - Vendor Refusal Jay Gallman (Jul 16)
- Re: HECVAT - Vendor Refusal Blake Penn (Jul 16)
- <Possible follow-ups>
- Re: HECVAT - Vendor Refusal Harvard Townsend (Jul 16)
- Re: HECVAT - Vendor Refusal Jeff Choo (Jul 16)
- Re: HECVAT - Vendor Refusal Weissbohn, David (Jul 21)
- Re: [EXT] Re: [SECURITY] HECVAT - Vendor Refusal Wilson, Lawrence (Jul 16)
- Re: HECVAT - Vendor Refusal Jeff Choo (Jul 16)
- Re: HECVAT - Vendor Refusal Sue McGlashan (Jul 16)
- Re: HECVAT - Vendor Refusal Jay Gallman (Jul 16)