Educause Security Discussion mailing list archives
Re: HECVAT Tool usage
From: "Flynn, Gary - flynngn" <flynngn () JMU EDU>
Date: Wed, 31 May 2017 16:54:50 +0000
I think this document is more an information gathering tool than an assessment tool. We have a similar set of questions we include with RFPs. Ideally, I believe that an institution should have policies and standards in place to which they hold vendors who wish to perform IT services for them. The questionnaire becomes a way of exploring whether the vendor meets those standards. One way of creating the initial, baseline set of standards might be to look at an institution's internal standards for its own IT services. For example, say that the institution made a business decision that the risks associated with reusable passwords, unmanaged desktops, blindly trusted applications, and unimpeded Internet access were incompatible with its risk comfort level. They adjusted internal standards so that two factor authentication is required for IT staff access, all employee desktops require centralized patch administration, Internet exposed services are required to undergo an initial web application assessment and ongoing vulnerability testing, outbound internet access from highly privileged IT administrators desktops were restricted, and access to highly critical systems required use of a VPN. Assuming the institution held that IT services could only be delivered with acceptable risk if these measures were in place, then if the institution wishes to outsource similar services, the providers of those services should be held to similar standards. Other possible standards that come to mind are criminal background checks and OWASP or equivalent developer training. When comparing internal policies and standards with those applied to IT services vendors, the scale and scope of services must also be considered. A typical university data center has large numbers of diverse applications and data sets to protect. An IT services provider may be hosting only one application and a small subset of data available in the university data center. In general policies and standards will need to vary depending on the sensitivity and volume of the data being handled and the criticality and risk of the service to the institution and its constituents. Validation will also need to vary. For services that present low risk to constituents and the institution, acceptance of the vendor's questionnaire answers may suffice. For services that present higher risk to constituents and/or the institution, validation of the vendor's answers may be required. In some cases third party audits or assessments may be appropriate. If a vendor's service cannot meet the standard, an exception and approval process can be included that requires written acknowledgement and acceptance of risk at an appropriate institutional level. If a vendor refuses to provide information necessary for a risk assessment, then a business decision needs to be made. Gary Flynn JMU IT Security James Madison University From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of John R. LaPrad Sent: Wednesday, May 31, 2017 11:59 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] HECVAT Tool usage We are talking about having cloud vendors fill out this assessment. I am wondering how are institutions using this document. * Are vendors requested to fill it out during the RFP stage or after selection? * Is it used to help make the purchase decision? If so, how is it quantified or scored so that responses can be compared across vendors? * What if vendors say that information is proprietary and don't answer many of the questions? Thank you for the input. John LaPrad - CISSP, CIHE Information Systems Security Manager Saginaw Valley State University 7400 Bay Rd. University Center, MI Phone: 989-964-7134 jrl () svsu edu <mailto:jrl () svsu edu>
Attachment:
smime.p7s
Description:
Current thread:
- HECVAT Tool usage John R. LaPrad (May 31)
- Re: HECVAT Tool usage Brad Judy (May 31)
- Re: HECVAT Tool usage Rob Milman (May 31)
- Re: HECVAT Tool usage Ruth Ginzberg (May 31)
- Re: HECVAT Tool usage Robert Smith (May 31)
- Re: HECVAT Tool usage Escue, Charles E (May 31)
- Re: HECVAT Tool usage Flynn, Gary - flynngn (May 31)
- Re: HECVAT Tool usage Sue McGlashan (May 31)
- Re: HECVAT Tool usage Alex Jalso (May 31)
- Re: HECVAT Tool usage John R. LaPrad (Jun 12)