Educause Security Discussion mailing list archives

Re: HECVAT Tool usage

From: "Escue, Charles E" <cescue () IU EDU>
Date: Wed, 31 May 2017 16:22:32 +0000

Hello John,

 

I’ll speak for our usage at Indiana University. We have used the HECVAT in some form since its publication in October 
2016. It has been our primary assessment tool for cloud services / institutional data sharing since January 2017. I’ve 
formatted my answers to match yours for clarity. 

 

·         Yes, and yes. Requests for assessments come from both stages.

·         Yes. We use the HECVAT as the primary means of assessing a cloud vendor. If our evaluation of the HECVAT (or 
any other document) finds unacceptable risks (determined by our data stewards), approval for purchase may not granted.

·         Some vendors required an NDA before providing a populated HECVAT. If they decline to answer any question(s), 
it is their choice. If it hinders our assessment of a particular vendor/request, it is documented in our evaluation 
summary.

 

I’m willing to speak offline if you’re interested.

 

Charlie

 

Charles Escue, GISP

Lead Security Analyst

University Information Security Office

 

2709 East 10th Street

Bloomington, IN 47408

Office: (812) 856-3334

cescue () iu edu

 

 

From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () listserv educause edu> on behalf of "John R. 
LaPrad" <jrl () SVSU EDU>
Organization: Saginaw Valley State University
Reply-To: "SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () listserv educause edu>
Date: Wednesday, May 31, 2017 at 11:59 AM
To: "SECURITY () listserv educause edu" <SECURITY () listserv educause edu>
Subject: [SECURITY] HECVAT Tool usage

 

We are talking about having cloud vendors fill out this assessment.  I am wondering how are institutions using this 
document. 

·         Are vendors requested to fill it out during the RFP stage or after selection? 

·          Is it used to help make the purchase decision? If so, how is it quantified or scored so that responses can 
be compared across vendors?

·         What if vendors say that information is proprietary and don't answer many of the questions? 

Thank you for the input.

John LaPrad - CISSP, CIHE
Information Systems Security Manager
Saginaw Valley State University

7400 Bay Rd. University Center, MI

Phone: 989-964-7134
jrl () svsu edu

Attachment: smime.p7s
Description:

Current thread:

HECVAT Tool usage John R. LaPrad (May 31)
- Re: HECVAT Tool usage Brad Judy (May 31)
- Re: HECVAT Tool usage Rob Milman (May 31)
- Re: HECVAT Tool usage Ruth Ginzberg (May 31)
- Re: HECVAT Tool usage Robert Smith (May 31)
- Re: HECVAT Tool usage Escue, Charles E (May 31)
- Re: HECVAT Tool usage Flynn, Gary - flynngn (May 31)
- Re: HECVAT Tool usage Sue McGlashan (May 31)
- Re: HECVAT Tool usage Alex Jalso (May 31)
- Re: HECVAT Tool usage John R. LaPrad (Jun 12)