Re: HECVAT - Vendor Refusal

[Sue McGlashan <sue.mcglashan () UTORONTO CA>]

Jeff, I have in the past accepted ISO and SOC2 as a replacement, for “world class” vendors.

Since you do not have full coverage, would the company answer extra questions?

  *   And that additional individualized assessment is a killer on productivity.


Sue McGlashan
Information Risk Manager, IS, ITS
416 946 3260



From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Jeff Choo 
<jeff_choo () WILLIAMJAMES EDU>
Reply-To: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
Date: Friday, July 16, 2021 at 9:48 AM
To: "SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] HECVAT - Vendor Refusal

EXTERNAL EMAIL:
Hi All,

Just want to ask a follow-up question – I am trying to have a vendor filling out the HECVAT.  The vendor said they are 
ISO27001 certified and have passed the audit for SOC2.  They said the certification is confidential and they will allow 
me to view the documents, and I can keep a copy of the SOC3 report, but they won’t fill out the HECVAT.  The vendor in 
question is a financial aid software vendor and we are talking about financial aid production data.

I am wondering if anyone has any advice for this situation?  Personally, I feel ISO27001 and SOC2 should sufficiently 
cover all grounds including NIST800-171, but based on the criteria mapping it is not covering the full 100%.  Should I 
push for HECVAT?

Thanks

Jeff Choo

Director of Information Technology, Information Security Officer
William James College
1 Wells Avenue, Newton MA, 02459
E: Jeff_Choo () williamjames edu<mailto:Jeff_Choo () williamjames edu>
O: (857) 299-7243
W: 
http://support.williamjames.edu<https://can01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsupport.williamjames.edu%2F&data=04%7C01%7Csue.mcglashan%40UTORONTO.CA%7C93df045654be418a9af408d9486049d2%7C78aac2262f034b4d9037b46d56c55210%7C0%7C0%7C637620401222454366%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=3tANtGA68w0qDvfU1RLlQvasMNPA3gF1iyk3tYaCOPY%3D&reserved=0>




From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Robert Smith
Sent: Wednesday, June 16, 2021 7:42 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] HECVAT - Vendor Refusal


[External Email] Do not click links or attachments unless you recognize the sender and know the content is safe.
Hello,

Good afternoon.

Seeing the interest in Jonathan’s work, I thought I would share ours as well.  U Tulsa and Univ of Cal address similar 
points, but have slightly different ways of getting there.

Here is our “Data Security Appendix”: 
https://www.ucop.edu/procurement-services/policies-forms/legal-forms-current/appendix-ds-8-12-2019.pdf<https://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ucop.edu%2Fprocurement-services%2Fpolicies-forms%2Flegal-forms-current%2Fappendix-ds-8-12-2019.pdf&data=04%7C01%7Csue.mcglashan%40UTORONTO.CA%7C93df045654be418a9af408d9486049d2%7C78aac2262f034b4d9037b46d56c55210%7C0%7C0%7C637620401222454366%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=RbI6jUDdA1YOE2VMwwTP8XbrqfQ5DnQ2swAzuNw20UE%3D&reserved=0>

Here is our page for our internal Units who engage suppliers: 
https://security.ucop.edu/resources/contracts.html<https://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsecurity.ucop.edu%2Fresources%2Fcontracts.html&data=04%7C01%7Csue.mcglashan%40UTORONTO.CA%7C93df045654be418a9af408d9486049d2%7C78aac2262f034b4d9037b46d56c55210%7C0%7C0%7C637620401222464364%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=2SxZhiiez%2FZccsrcJgTmXqULQ77PwfH3NzMxHQ%2Bm7Bk%3D&reserved=0>

We have some great suppliers to really understand the domain, and like many stated we have others who just do not seem 
to get it.  We are making progress in getting business partners to just drop the suppliers who show up with silly 
responses.  As we (the community) get bolder on this, then suppliers will get the message as the sales fall off.

Enjoy a jocund day,
Robert Smith, CISSP, PMP
Systemwide IT Policy Director/Security Director
Information Technology Services
University of California Office of the President
(510) 587-6244 (o)
(510) 541-8103 (m)
robert.smith () ucop edu<mailto:robert.smith () ucop edu>


**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Csue.mcglashan%40UTORONTO.CA%7C93df045654be418a9af408d9486049d2%7C78aac2262f034b4d9037b46d56c55210%7C0%7C0%7C637620401222464364%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=5EABVdpB%2BRCkpmNlFuxpwoKRQnns4W2y%2BAaqy5sgnOo%3D&reserved=0>
This message may contain confidential information intended only for the individual named. If you received this message 
by mistake, please let the sender know by e-mail reply and delete it from your system. If you are not the intended 
recipient you are hereby notified that disclosing, copying, distributing or taking any action in reliance on the 
contents of this information is strictly prohibited.

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Csue.mcglashan%40UTORONTO.CA%7C93df045654be418a9af408d9486049d2%7C78aac2262f034b4d9037b46d56c55210%7C0%7C0%7C637620401222474355%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=clFFh0LfgstMmx7FaG56GqNBd5mrO54wgoqi9C6plFw%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community