Re: HECVAT Security Assessment Question

[Mark Dieterich <mkd () BROWN EDU>]

> Davidson College is adopting HECVAT/HECVAT Lite for vendor assessments.  

At Brown, we are trying to move towards adopting HECVAT/HECVAT Lite for all vendor assessments as well. So far, we 
haven’t run into the IBM scenario yet and we had our first instance of a vendor (Workfront) who had already seen it and 
turned it around almost instantly, thanks for whomever forged the way for us!

> Being end of fiscal year, we’ve had a large number of cloud/SaaS software purchase requests from departments


If I could derail this conversation slightly, I’d be really interested in learning what your staffing to support vendor 
assessments looks like. We seem to be continuously trying to play catch up with assessments and it’s taking way more 
time than the cycles we have allotted. A vast majority of our time seems to be tied up in chasing down information and 
getting people to actually respond! Although in some cases, wading through the reams of documentation from a vendor can 
take significant time as well. At present, our team of two part time people (very part time on paper for at least one 
of these anyways) seems to be consistently trying to do contract reviews and security assessments on just North of 20 
contracts concurrently. I’m trying to figure out if we are just hugely inefficient, we are attempting to be too 
detailed in our reviews, or we are truly understaffed. Are we the only ones in this situation? Anyone have a better 
model?

Mark