Re: HECVAT Security Assessment Question

[Shelton Waggener <swaggener () INTERNET2 EDU>]

Kevin,
I think that’s true for all of higher ed – generally speaking regardless of size our market is such that we simply 
don’t generate the kinds of margins expected by these providers. However, if we require it for a program like 
Internet2’s cloud services NET+ effort, then the requirements for all the largest campuses individually are aggregated 
together (which the companies are willing to do if required, which we plan for HECVAT) which will then benefit all 
institutions.  That’s the goal of the community work and partnership with Educause.

For this particular provider, feel free to reach out to me individually and I can work with you to see if we can 
influence them as they are not currently in the program.

Shel

Shelton Waggener
Senior Vice President
Internet2 

mailto: <swaggener () internet2 edu>
office: 510-858-0881
mobile: 510-710-3360
twitter: shelwaggener
6001 Shellmound Street, Suite 850
Emeryville, CA 94608

Assistant: Elaine Alejo
mailto: <ealejo () internet2 edu>
office: 510-858-0881






On 7/19/17, 11:43 AM, "The EDUCAUSE Security Constituent Group Listserv on behalf of Davis, Kevin" <SECURITY () 
LISTSERV EDUCAUSE EDU on behalf of kedavis () DAVIDSON EDU> wrote:

    One other data point to add to the discussion. We are in the market for an HR benefits solution and HR's outside 
consultant, a household name in the field as far as I’m concerned, opined that they had never seen an organization of 
our relatively small size ask the level of detailed questions seen on the (full) HECVAT. 
    
    This raises another challenge we have to think about in re HECVAT — as a small college, the revenue/profit our deal 
will bring may be insufficient to motivate a detailed reply, vs what a large research-intensive university/academic 
medical center org can justify.
    
    We were largely using HECVAT Lite but expect we will switch to Lite for all requests, and just assess individual 
full-version questions where required by compliance...
     
    Kevin
    
    -- 
    Kevin Davis
    Deputy CIO & Director, Core Services
    Davidson College ITS
    
    
    
    
    
    
    On 7/13/17, 11:56 AM, "The EDUCAUSE Security Constituent Group Listserv on behalf of Velislav K Pavlov" <SECURITY 
() LISTSERV EDUCAUSE EDU on behalf of VelislavPavlov () FERRIS EDU> wrote:
    
    >Rob, it's common for vendors to refuse to complete the risk assessment. Especially if they don't have their act 
together when it comes to assuring information security and privacy. We transitioned to using HECVAT as a template, but 
we also request attestation in the form of qualified third party assessment. This can be PCI DSS, HIPAA audit, NIST 
800-30 audit, ISO27001 certificate, proof of on-going vulnerability discovery and remediation, SSAE16 SOC 2 Type 2, CSA 
STAR, etc. It depends on the type of data and compliance requirements surrounding it. 
    >
    >When we receive push back from the vendor or the institution, we resort to due care and due diligence. In our risk 
analysis, we assess qualitative and quantitatively the risk, exposure, impact, and likelihood based on discovered 
vulnerabilities and the identified type of data and attack surface. We make a recommendation that the risk is low, 
medium, high, or critical. We outline what the risk is and specify recommended corrective actions which are actionable. 
If the University leadership decides to accept the risk, we ask them to complete risk acceptance form. It raises 
awareness that my team has done our due care and diligence to do our job and help our leadership make educated 
decisions. It specifies why the risk is acceptable and requires sign off from the VP, Dean for the area, IT Security, 
and the CTO/CIO. Please let me know if you are interested in the risk assessment form or acceptance. I can share via 
email. 
    >
    >Vel Pavlov | Coordinator, IT Security 
    >M.Sc. ISM, CISSP, C|HFI, C|EH, C)PTE, 
    >Security+, CNA, MPCS, ITILv3F, A+ 
    >VelPavlov () ferris edu
    >
    >
    >Notice:This email message and any attachments are for the confidential use of the intended recipient. If that 
isn’t you, please do not read the message or attachments, or distribute or act in reliance on them. If you have 
received this message by mistake, please immediately notify VelPavlov () ferris edu and delete this message and any 
attachments. Thank you.
    >
    >
    >-----Original Message-----
    >From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Rob 
Milman
    >Sent: Thursday, July 13, 2017 11:30 AM
    >To: SECURITY () LISTSERV EDUCAUSE EDU
    >Subject: Re: [SECURITY] HECVAT Security Assessment Question
    >
    >**Notice** This message is from a sender outside of the Ferris Office 365 mail system. Use caution when clicking 
links or opening attachments. For assistance determining if this email is safe, please contact TAC.
    >________________________________
    >
    >Hi everyone,
    >
    >I've been watching this thread with interest. We made the decision to begin using the HECVAT this spring to 
replace our SaaS assessment that was just not detailed enough. I current am working on 5 different engagements with 
cloud service providers and 3 of them have outright refused to complete the HECVAT. The other 2 are being evaluated and 
they haven't got back to me yet.
    >
    >Some of the vendors that have rejected the HECVAT have provided their own documentation, but I can find no 
evidence of a third-party assessment. We have gone as far as telling the institution that we cannot support the cloud 
vendor as a risk assessment was not completed, the institution has gone ahead and signed contracts with these vendors 
anyway, without our acceptance.
    >
    >Has anyone else had vendors refuse to complete the HECVAT? What has been the result? Is there a lighter version of 
the HECVAT that you would be willing to share?
    >
    >Our institution is beginning to question the hard line we have taken with regards to cloud vendors, we may have to 
stand down.
    >
    >Thanks,
    >
    >Rob
    >
    >-----Original Message-----
    >From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of 
José A. Domínguez
    >Sent: Monday, July 10, 2017 4:45 PM
    >To: SECURITY () LISTSERV EDUCAUSE EDU
    >Subject: Re: [SECURITY] HECVAT Security Assessment Question
    >
    >Hello Sue. Your approach seems similar to what I am trying to do at UO.
    >I am engaging the office of Purchasing and Contracting Services and working on adopting HECVAT as part of their 
evaluation criteria for vendor selection. That way it's part of what the vendors need to do if they want our business 
and it's part of what departments need to look for when engaging businesses. The question is agreeing on what kind of 
cloud service solution requires what level of evaluation. I'll let you know how successful this approach is.
    >
    >José.
    >
    >
    >On 7/7/17 5:14 AM, Sue McGlashan wrote:
    >> Hi Mark
    >>
    >> You derailed the conversation exactly into what I was talking about yesterday within our team - speediness vs 
effectiveness. We need to be both effective and efficient, but effective does take time. Please see more below, and 
thank you for opening the conversation.
    >>
    >>     >   At Brown, we are trying to move towards adopting HECVAT/HECVAT Lite for all vendor assessments as well. 
So far, we haven’t run into the IBM scenario yet and we had our first instance of a vendor (Workfront) who had already 
seen it and turned it around almost instantly, thanks for whomever forged the way for us!
    >>
    >>      >   If I could derail this conversation slightly, I’d be really interested in learning what your staffing 
to support vendor assessments looks like. We seem to be continuously trying to play catch up with assessments
    >>
    >> Yes, we play a game of catch up all of the time, and any delayed 
    >> projects seem to arrive in the middle of a high volume of projects, 
    >> not when we had planned time to complete them  … we all know this 
    >> story
    >> - and I am sure you all also have internal projects, and you probably also need to look at both privacy and 
security.
    >>
    >>     > and it’s taking way more time than the cycles we have allotted. A vast majority of our time seems to be 
tied up in chasing down information and getting people to actually respond!
    >>
    >> Agreed about the time, and to make it worse, sometimes the response is poor, so although a questionnaire is 
provided, it is filled in by marketing, or else the vendor has a weak security team - i.e. we cannot use it as is.
    >>
    >> Solution? -  Please let me know if you have other suggestions.    I am adjusting our process - we need a better 
intake, so that as vendor responses comes in, we quickly review the supplied documentation, and immediately contact the 
vendor if the information is inadequate. This should reduce the overall time per project, but it will interrupt current 
projects. I am hoping for a longer-term win.
    >>
    >>     > Although in some cases, wading through the reams of documentation from a vendor can take significant time 
as well. At present, our team of two-part time people (very part time on paper for at least one of these anyways) seems 
to be consistently trying to do contract reviews and security assessments on just North of 20 contracts concurrently. 
I’m trying to figure out if we are just hugely inefficient, we are attempting to be too detailed in our reviews, or we 
are truly understaffed. Are we the only ones in this situation? Anyone have a better model?
    >>      > Mark
    >>
    >> Overall, it takes time!  I am looking at how we can more efficiently complete an assessment, but I do not want 
to change to a check box approach since we have discovered some concerns that such an approach would not have.  
However, when I asked the team to be more efficient, that was interpreted as rushing the work, resulting in the need to 
re-review some of the assessment.
    >>
    >> No, you are not the only ones in this situation.
    >> If we decide an assessment must be completed, we should be thorough.
    >> Yes, I think if we are to do all of the assessments, we will need more staff. (but e.g. workfront - hopefully in 
the longer term we will be able to share the results of our security reports/assessments, so we are also not each 
individually reviewing each vendor).
    >>
    >> But could we triage better?  Probably.
    >>
    >> We are working towards a self-assessment for some smaller internal applications, followed by providing an 
application vulnerability scan, and random full assessments. This idea evolved from listening to talks at the Educause 
conference.
    >>
    >> Thanks
    >> Sue McGlashan
    >>
    >>
    >>
    >>
    >>
    >
    >