Re: HECVAT Security Assessment Question

[Sue McGlashan <sue.mcglashan () UTORONTO CA>]

Hi
For RFPS, we have a pass / fail on security, and we have started asking only the final proponents to complete our 
questionnaire, rather than all.
I agree that good security seems to be generally associated with good function.

Now that we are moving towards using the HECVAT, I have a separate supplemental document that asks the privacy 
questions we need answered to check FIPPA (Ontario) compliance.
I am happy to share, Andy.
-- 
Sue McGlashan, 
Information Security Architect, ISEA
University of Toronto


 

 

On 2017-07-14, 2:15 PM, "The EDUCAUSE Security Constituent Group Listserv on behalf of Andy Hooper" <SECURITY () 
LISTSERV EDUCAUSE EDU on behalf of hooper () QUEENSU CA> wrote:

    For RFPs we do two stages. All bidders complete about twenty fairly easy
    questions. This gives enough information for a sense of the security
    maturity. Once a preferred bid has been selected, we do more detailed
    questions during the negotiation phase. That could result in adding work
    items to the contract, or in the worst case, moving on to the next
    preference. Security has very low weight in our RFP scoring, but as long
    as price isn't weighted too high, then good security seems to be
    generally associated with good function.
    
    HECVAT doesn't have much on privacy. Are people using HECVAT doing
    something separate for privacy and access-to-information aspects?
    
    - Andy Hooper - IT Services - Queen's University -