Educause Security Discussion mailing list archives

Re: HECVAT Tool usage

From: Brad Judy <brad.judy () CU EDU>
Date: Wed, 31 May 2017 16:10:50 +0000

While we’re just starting to look at HECVAT specifically, here are some general answers for this type of thing:


  *   Are vendors requested to fill it out during the RFP stage or after selection?
     *   As part of an RFP process – it’s critical to do prior to selection IMO.
  *    Is it used to help make the purchase decision? If so, how is it quantified or scored so that responses can be 
compared across vendors?
     *   Yes, it’s part of the decision process.  Our RFP process requires factors to be quantitative so the topic of 
security might be given a weight related to other criteria.  Additionally, we may identify specific items as true 
requirements (deal breakers).  For example, secure transmission of data (SSL/TLS) might be an absolute requirement.
  *   What if vendors say that information is proprietary and don't answer many of the questions?
     *   This typically only happens with really large vendors (Oracle does this a lot) and it’s a case-by-case 
decision, largely based on what information that can/will provide.  Sometimes it’s simply that they won’t answer custom 
sets of information, but might provide alternative information about their security (audits, company policies, etc.).  
Ultimately, it’s a business risk decision, not an information security office decision.


Brad Judy

Information Security Officer
Office of Information Security
University of Colorado
1800 Grant Street, Suite 300
Denver, CO  80203
Office: (303) 860-4293
Fax: (303) 860-4302
www.cu.edu<http://www.cu.edu/>

[u-logo_fl]



From: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of "John R. LaPrad" <jrl () SVSU EDU>
Organization: Saginaw Valley State University
Reply-To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
Date: Wednesday, May 31, 2017 at 9:59 AM
To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] HECVAT Tool usage


We are talking about having cloud vendors fill out this assessment.  I am wondering how are institutions using this 
document.

  *   Are vendors requested to fill it out during the RFP stage or after selection?
  *    Is it used to help make the purchase decision? If so, how is it quantified or scored so that responses can be 
compared across vendors?
  *   What if vendors say that information is proprietary and don't answer many of the questions?

Thank you for the input.
John LaPrad - CISSP, CIHE
Information Systems Security Manager
Saginaw Valley State University
7400 Bay Rd. University Center, MI
Phone: 989-964-7134
jrl () svsu edu<mailto:jrl () svsu edu>

Current thread:

HECVAT Tool usage John R. LaPrad (May 31)
- Re: HECVAT Tool usage Brad Judy (May 31)
- Re: HECVAT Tool usage Rob Milman (May 31)
- Re: HECVAT Tool usage Ruth Ginzberg (May 31)
- Re: HECVAT Tool usage Robert Smith (May 31)
- Re: HECVAT Tool usage Escue, Charles E (May 31)
- Re: HECVAT Tool usage Flynn, Gary - flynngn (May 31)
- Re: HECVAT Tool usage Sue McGlashan (May 31)
- Re: HECVAT Tool usage Alex Jalso (May 31)
- Re: HECVAT Tool usage John R. LaPrad (Jun 12)