Re: HECVAT Security Assessment Question

[Velislav K Pavlov <VelislavPavlov () FERRIS EDU>]

It would be convenient to have a centralized repository. We were using CSA STAR to assess hosted solutions. The benefit 
of CSA STAR is the availability of the attestation documentation so other institutions won't have to reinvent the wheel 
and wait for request & response for information. One example is SalesForce 
https://cloudsecurityalliance.org/star-registrant/salesforce-com-inc/. The centralized repository also helps with 
version control and provides dates/times for when the attestation was last submitted/reviewed. Our University is 
supportive of HECVAT as we recognize the tailored approach to education and the benefit of information sharing within 
our community.

What we found out is that the assessment regardless if it's CSA CCM/CAIQ or HECVAT, takes time and it's difficult to 
convince the vendor (cybersecurity team) to go through the hundreds of questions. Where we found some success is the 
fact that once the vendor fills out the document it can benefit other institutions. It becomes marketing material for 
the vendor to acquire new business by demonstrating that they have adequate security controls to protect client data at 
rest and in transit.


Vel Pavlov | Coordinator, IT Security
M.Sc. ISM, CISSP, C|HFI, C|EH, C)PTE,
Security+, CNA, MPCS, ITILv3F, A+
[cid:image001.png@01D24414.DC8BCD70]


From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Joanna 
Grama
Sent: Wednesday, June 28, 2017 10:03 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] HECVAT Security Assessment Question

**Notice** This message is from a sender outside of the Ferris Office 365 mail system. Use caution when clicking links 
or opening attachments. For assistance determining if this email is safe, please contact TAC.
________________________________
Good morning list mates:

We have received an email from a member looking to see if:

1)     If any institution has a completed HECVAT for Microsoft Office 365/OneDrive, Box and ServiceNow

2)     If the vendor's responses for that completed HECVAT allowed sharing with other higher education institutions

If the answers to the above questions are "yes," could you contact me off list please?  We have a member that would 
like to speak with you about your experiences.

Kind regards,
Joanna

Joanna Grama, JD, CISSP, CRISC, CIPT
Director of Cybersecurity and IT GRC Programs

EDUCAUSE
Uncommon Thinking for the Common Good
282 Century Place, Suite 5000, Louisville, CO 80027
direct: 720.406.6769 | cell: 720.507.5983 | jgrama () educause edu<mailto:jgrama () educause edu>

Attend the EDUCAUSE Metrics 
Mania!<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fevents.educause.edu%2Fwebinar%2F2017%2Fmetrics-mania-using-metrics-to-bolster-your-higher-education-information-security-program&data=01%7C01%7CVelislavPavlov%40ferris.edu%7C30cc3ec63c244eac064b08d4be2e724e%7C64b0362e85c04e95a4ce5651d96cb739%7C1&sdata=WGpFHCp%2ByjPDND5DpgsNJ%2Bz4HixE3bhE5x6hcgeLnwI%3D&reserved=0>
 online seminar, August 9, 2017.