Re: HECVAT Tool usage

["Flynn, Gary - flynngn" <flynngn () JMU EDU>]

I think this document is more an information gathering tool than an assessment 
tool. We have a similar set of questions we include with RFPs.



Ideally, I believe that an institution should have policies and standards in 
place to which they hold vendors who wish to perform IT services for them. The 
questionnaire becomes a way of exploring whether the vendor meets those 
standards.



One way of creating the initial, baseline set of standards might be to look at 
an institution's internal standards for its own IT services. For example, say 
that the institution made a business decision that the risks associated with 
reusable passwords, unmanaged desktops, blindly trusted applications, and 
unimpeded Internet access were incompatible with its risk comfort level. They 
adjusted internal standards so that two factor authentication is required for 
IT staff access, all employee desktops require centralized patch 
administration, Internet exposed services are required to undergo an initial 
web application assessment and ongoing vulnerability testing, outbound 
internet access from highly privileged IT administrators desktops were 
restricted, and access to highly critical systems required use of a VPN. 
Assuming the institution held that IT services could only be delivered with 
acceptable risk if these measures were in place, then if the institution 
wishes to outsource similar services, the providers of those services should 
be held to similar standards. Other possible standards that come to mind are 
criminal background checks and OWASP or equivalent developer training.



When comparing internal policies and standards with those applied to IT 
services vendors, the scale and scope of services must also be considered. A 
typical university data center has large numbers of diverse applications and 
data sets to protect. An IT services provider may be hosting only one 
application and a small subset of data available in the university data 
center.



In general policies and standards will need to vary depending on the 
sensitivity and volume of the data being handled and the criticality and risk 
of the service to the institution and its constituents.



Validation will also need to vary. For services that present low risk to 
constituents and the institution, acceptance of the vendor's questionnaire 
answers may suffice. For services that present higher risk to constituents 
and/or the institution, validation of the vendor's answers may be required. In 
some cases third party audits or assessments may be appropriate.



If a vendor's service cannot meet the standard, an exception and approval 
process can be included that requires written acknowledgement and acceptance 
of risk at an appropriate institutional level.



If a vendor refuses to provide information necessary for a risk assessment, 
then a business decision needs to be made.



Gary Flynn

JMU IT Security

James Madison University







From: The EDUCAUSE Security Constituent Group Listserv 
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of John R. LaPrad
Sent: Wednesday, May 31, 2017 11:59 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] HECVAT Tool usage



We are talking about having cloud vendors fill out this assessment.  I am 
wondering how are institutions using this document.

*       Are vendors requested to fill it out during the RFP stage or after 
selection?
*        Is it used to help make the purchase decision? If so, how is it quantified 
or scored so that responses can be compared across vendors?
*       What if vendors say that information is proprietary and don't answer many of 
the questions?

Thank you for the input.

John LaPrad - CISSP, CIHE
Information Systems Security Manager
Saginaw Valley State University

7400 Bay Rd. University Center, MI

Phone: 989-964-7134
jrl () svsu edu <mailto:jrl () svsu edu>

Attachment: smime.p7s
Description: