Educause Security Discussion mailing list archives
Re: HECVAT - Vendor Refusal
From: Blake Penn <bpenn () COLGATE EDU>
Date: Fri, 16 Jul 2021 13:47:35 -0400
Jay makes a good point about 800-171. Also, for everyone's benefit, I think that ISO 27001 is still very misunderstood even after being around for over 20 years in its various incarnations starting with BS 7799. ISO 27001 is a management standard, not a data protection standard, and none of the controls listed in Annex A are mandatory - they are simply controls that are commonly used to treat cybersecurity risk. With ISO 27001 you get to pick your own controls for treating risk whether they are from Annex A or not. That is, ISO 27001 is 0% prescriptive about what controls to use to protect data and systems. NIST 800-171, PCI DSS, and the like are on the opposite side of this - they are 100% prescriptive in that they lay out a set of controls that must be used. If an entity is NIST 800-171 or PCI DSS compliant then you know exactly what controls are in place. ISO 27001 certification tells you absolutely nothing about what controls are in place - to get this information you would need to examine the Statement of Applicability (SoA) and the risk register. Also, ISO 27001 audits don't test every control to ensure that they are all in place - the audit is a test of the management system itself (the ISMS), not the controls (even though several of them will end up getting tested in the process of course). Best regards, Blake -- Blake Penn Chief Information Security Officer Information Technology Services Colgate University 315-228-7151 www.colgate.edu On Fri, Jul 16, 2021 at 12:58 PM Jay Gallman <jay.gallman () duke edu> wrote:
Jeff, At Duke we’ve taken the approach that if they have a current SOC 2 Type 2 that they will share then a HECVAT Lite will suffice. That said I’m not at all comfortable with the 800-171 aspects of this. If this is with an eye to the FAS intentions to go with 800-171 is their compliance framework, then I’m not sure a HECVAT tells you much in that regard. It might be helpful to look at the mapping between 800-171 and ISO27001 and consider the gaps. If you’re not aware of https://www.educause.edu/community/heisc-800-171-community-group you may want to consider joining. Regards, Jay -- Jay Gallman, GCIH Risk Management IT Analyst | IT Security Office | Duke University Phone: 919 684-8060 My Availability: Microsoft 365 From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Jeff Choo <jeff_choo () WILLIAMJAMES EDU> Date: Friday, July 16, 2021 at 9:47 AM To: SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] HECVAT - Vendor Refusal Hi All, Just want to ask a follow-up question – I am trying to have a vendor filling out the HECVAT. The vendor said they are ISO27001 certified and have passed the audit for SOC2. They said the certification is confidential and they will allow me to view the documents, and I can keep a copy of the SOC3 report, but they won’t fill out the HECVAT. The vendor in question is a financial aid software vendor and we are talking about financial aid production data. I am wondering if anyone has any advice for this situation? Personally, I feel ISO27001 and SOC2 should sufficiently cover all grounds including NIST800-171, but based on the criteria mapping it is not covering the full 100%. Should I push for HECVAT? Thanks Jeff Choo Director of Information Technology, Information Security Officer William James College 1 Wells Avenue, Newton MA, 02459 E: Jeff_Choo () williamjames edu O: (857) 299-7243 W: http://support.williamjames.edu From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Robert Smith Sent: Wednesday, June 16, 2021 7:42 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] HECVAT - Vendor Refusal [External Email] Do not click links or attachments unless you recognize the sender and know the content is safe. Hello, Good afternoon. Seeing the interest in Jonathan’s work, I thought I would share ours as well. U Tulsa and Univ of Cal address similar points, but have slightly different ways of getting there. Here is our “Data Security Appendix”: https://www.ucop.edu/procurement-services/policies-forms/legal-forms-current/appendix-ds-8-12-2019.pdf Here is our page for our internal Units who engage suppliers: https://security.ucop.edu/resources/contracts.html We have some great suppliers to really understand the domain, and like many stated we have others who just do not seem to get it. We are making progress in getting business partners to just drop the suppliers who show up with silly responses. As we (the community) get bolder on this, then suppliers will get the message as the sales fall off. Enjoy a jocund day, Robert Smith, CISSP, PMP Systemwide IT Policy Director/Security Director Information Technology Services University of California Office of the President (510) 587-6244 (o) (510) 541-8103 (m) robert.smith () ucop edu ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community This message may contain confidential information intended only for the individual named. If you received this message by mistake, please let the sender know by e-mail reply and delete it from your system. If you are not the intended recipient you are hereby notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- Re: HECVAT - Vendor Refusal Jeff Choo (Jul 16)
- Re: HECVAT - Vendor Refusal Jay Gallman (Jul 16)
- Re: HECVAT - Vendor Refusal Blake Penn (Jul 16)
- <Possible follow-ups>
- Re: HECVAT - Vendor Refusal Harvard Townsend (Jul 16)
- Re: HECVAT - Vendor Refusal Jeff Choo (Jul 16)
- Re: HECVAT - Vendor Refusal Weissbohn, David (Jul 21)
- Re: [EXT] Re: [SECURITY] HECVAT - Vendor Refusal Wilson, Lawrence (Jul 16)
- Re: HECVAT - Vendor Refusal Jeff Choo (Jul 16)
- Re: HECVAT - Vendor Refusal Sue McGlashan (Jul 16)
- Re: HECVAT - Vendor Refusal Jay Gallman (Jul 16)