Re: HECVAT Security Assessment Question

[Joanna Grama <jgrama () EDUCAUSE EDU>]

Hi Kevin,
Great question. One of the goals of the HECVAT working group this fall is to figure out the best way to share 
information about the institutions that are using HECVAT (and the service providers involved).  As you might imagine, 
information sharing is a bit informal at the moment until we work through the ins/outs of how to do this properly.

However, we can be somewhat more deliberate about our informal efforts.  If your institution has used the HECVAT, and 
you would be interested in sharing upon request your experiences with the tool and vendor responses, please fill out 
our very low-fi google form:  
https://docs.google.com/forms/d/e/1FAIpQLSd2ZfXc6ZsxgncDnQzcNa7zFt-pr3ko39e7z6E2XtcoZvd47Q/viewform?usp=sf_link

You will need to submit one response per service provider/product completing a HECVAT (which will make sorting the 
response spreadsheet for products/institutions a bit easier).  We will be able to use this list to potentially match up 
institutions when we get requests like the one that I shared this morning.


Finally, if you have used the HECVAT and want to share information about your experiences with the tool, please 
consider taking the working group’s feedback survey: https://www.surveymonkey.com/r/PQSLMBK


Kind regards,
Joanna


Joanna Grama, JD, CISSP, CRISC, CIPT
Director of Cybersecurity and IT GRC Programs

EDUCAUSE
Uncommon Thinking for the Common Good
282 Century Place, Suite 5000, Louisville, CO 80027
direct: 720.406.6769 | cell: 720.507.5983 | jgrama () educause edu<mailto:jgrama () educause edu>

Attend the EDUCAUSE Metrics 
Mania!<https://events.educause.edu/webinar/2017/metrics-mania-using-metrics-to-bolster-your-higher-education-information-security-program>
 online seminar, August 9, 2017.





From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Davis, 
Kevin
Sent: Wednesday, June 28, 2017 10:14 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] HECVAT Security Assessment Question

Hi Joanna,

I’ll take this opportunity to raise a tangential question on HECVAT!

Davidson College is adopting HECVAT/HECVAT Lite for vendor assessments.  Being end of fiscal year, we’ve had a large 
number of cloud/SaaS software purchase requests from departments and have been evaluating several small/midsize vendors 
and encouraging them to follow HECVAT.

One question we’re getting is what other schools are using HECVAT, since for many smaller vendors this is the first 
they’re hearing about it.  Is there a list of what schools have adopted?  The more schools we can share that have 
bought in, the better the compliance…

Kevin

--
Kevin Davis
Deputy CIO & Director, Core Services
Davidson College ITS

(704) 894-2405 (office) | (980) 319-8538 (mobile)


From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> on behalf of Joanna Grama <jgrama () EDUCAUSE EDU<mailto:jgrama () EDUCAUSE EDU>>
Reply-To: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () 
LISTSERV EDUCAUSE EDU>>
Date: Wednesday, June 28, 2017 at 10:02 AM
To: "SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>" <SECURITY () LISTSERV EDUCAUSE 
EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
Subject: [SECURITY] HECVAT Security Assessment Question

Good morning list mates:

We have received an email from a member looking to see if:

1)      If any institution has a completed HECVAT for Microsoft Office 365/OneDrive, Box and ServiceNow

2)      If the vendor’s responses for that completed HECVAT allowed sharing with other higher education institutions

If the answers to the above questions are “yes,” could you contact me off list please?  We have a member that would 
like to speak with you about your experiences.

Kind regards,
Joanna

Joanna Grama, JD, CISSP, CRISC, CIPT
Director of Cybersecurity and IT GRC Programs

EDUCAUSE
Uncommon Thinking for the Common Good
282 Century Place, Suite 5000, Louisville, CO 80027
direct: 720.406.6769 | cell: 720.507.5983 | jgrama () educause edu<mailto:jgrama () educause edu>

Attend the EDUCAUSE Metrics 
Mania!<https://events.educause.edu/webinar/2017/metrics-mania-using-metrics-to-bolster-your-higher-education-information-security-program>
 online seminar, August 9, 2017.