Re: HECVAT - Vendor Refusal

[Blake Penn <bpenn () COLGATE EDU>]

Jay makes a good point about 800-171.

Also, for everyone's benefit, I think that ISO 27001 is still very
misunderstood even after being around for over 20 years in its various
incarnations starting with BS 7799. ISO 27001 is a management
standard, not a data protection standard, and none of the controls
listed in Annex A are mandatory - they are simply controls that are
commonly used to treat cybersecurity risk. With ISO 27001 you get to
pick your own controls for treating risk whether they are from Annex A
or not. That is, ISO 27001 is 0% prescriptive about what controls to
use to protect data and systems.

NIST 800-171, PCI DSS, and the like are on the opposite side of this -
they are 100% prescriptive in that they lay out a set of controls that
must be used. If an entity is NIST 800-171 or PCI DSS compliant then
you know exactly what controls are in place. ISO 27001 certification
tells you absolutely nothing about what controls are in place - to get
this information you would need to examine the Statement of
Applicability (SoA) and the risk register. Also, ISO 27001 audits
don't test every control to ensure that they are all in place - the
audit is a test of the management system itself (the ISMS), not the
controls (even though several of them will end up getting tested in
the process of course).

Best regards,
Blake

--
Blake Penn
Chief Information Security Officer
Information Technology Services
Colgate University
315-228-7151
www.colgate.edu


On Fri, Jul 16, 2021 at 12:58 PM Jay Gallman <jay.gallman () duke edu> wrote:
> Jeff,
>
>
>
> At Duke we’ve taken the approach that if they have a current SOC 2 Type 2 that they will share then a HECVAT Lite 
> will suffice.  That said I’m not at all comfortable with the 800-171 aspects of this.  If this is with an eye to the 
> FAS intentions to go with 800-171 is their compliance framework, then I’m not sure a HECVAT tells you much in that 
> regard.  It might be helpful to look at the mapping between 800-171 and ISO27001 and consider the gaps.  If you’re 
> not aware of https://www.educause.edu/community/heisc-800-171-community-group you may want to consider joining.
>
>
>
> Regards,
>
>
>
> Jay
>
> --
>
> Jay Gallman, GCIH
>
> Risk Management IT Analyst | IT Security Office | Duke University
>
> Phone: 919 684-8060
>
> My Availability:  Microsoft 365
>
>
>
>
>
> From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Jeff Choo 
> <jeff_choo () WILLIAMJAMES EDU>
> Date: Friday, July 16, 2021 at 9:47 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>
> Subject: Re: [SECURITY] HECVAT - Vendor Refusal
>
> Hi All,
>
>
>
> Just want to ask a follow-up question – I am trying to have a vendor filling out the HECVAT.  The vendor said they 
> are ISO27001 certified and have passed the audit for SOC2.  They said the certification is confidential and they will 
> allow me to view the documents, and I can keep a copy of the SOC3 report, but they won’t fill out the HECVAT.  The 
> vendor in question is a financial aid software vendor and we are talking about financial aid production data.
>
>
>
> I am wondering if anyone has any advice for this situation?  Personally, I feel ISO27001 and SOC2 should sufficiently 
> cover all grounds including NIST800-171, but based on the criteria mapping it is not covering the full 100%.  Should 
> I push for HECVAT?
>
>
>
> Thanks
>
>
>
> Jeff Choo
>
>
>
> Director of Information Technology, Information Security Officer
>
> William James College
>
> 1 Wells Avenue, Newton MA, 02459
>
> E: Jeff_Choo () williamjames edu
>
> O: (857) 299-7243
>
> W: http://support.williamjames.edu
>
>
>
>
>
>
>
>
>
> From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Robert Smith
> Sent: Wednesday, June 16, 2021 7:42 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] HECVAT - Vendor Refusal
>
>
>
> [External Email] Do not click links or attachments unless you recognize the sender and know the content is safe.
>
> Hello,
>
>
>
> Good afternoon.
>
>
>
> Seeing the interest in Jonathan’s work, I thought I would share ours as well.  U Tulsa and Univ of Cal address 
> similar points, but have slightly different ways of getting there.
>
>
>
> Here is our “Data Security Appendix”: 
> https://www.ucop.edu/procurement-services/policies-forms/legal-forms-current/appendix-ds-8-12-2019.pdf
>
>
>
> Here is our page for our internal Units who engage suppliers: https://security.ucop.edu/resources/contracts.html
>
>
>
> We have some great suppliers to really understand the domain, and like many stated we have others who just do not 
> seem to get it.  We are making progress in getting business partners to just drop the suppliers who show up with 
> silly responses.  As we (the community) get bolder on this, then suppliers will get the message as the sales fall off.
>
>
>
> Enjoy a jocund day,
>
> Robert Smith, CISSP, PMP
>
> Systemwide IT Policy Director/Security Director
>
> Information Technology Services
>
> University of California Office of the President
>
> (510) 587-6244 (o)
>
> (510) 541-8103 (m)
>
> robert.smith () ucop edu
>
>
>
> **********
> Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
> person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
> and subscription information can be found at https://www.educause.edu/community
>
> This message may contain confidential information intended only for the individual named. If you received this 
> message by mistake, please let the sender know by e-mail reply and delete it from your system. If you are not the 
> intended recipient you are hereby notified that disclosing, copying, distributing or taking any action in reliance on 
> the contents of this information is strictly prohibited.
>
> **********
> Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
> person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
> and subscription information can be found at https://www.educause.edu/community
>
> **********
> Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
> person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
> and subscription information can be found at https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community