Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: HECVAT Users List

From: Steven W Andariese <Steve.Andariese () NAU EDU>
Date: Fri, 23 Feb 2018 01:29:55 +0000
I like the idea of a “scoring tool” and just to chime in here, we’ve been using a modified HECVAT Lite for nine months 
or so.  Modified for similar reasons… protected data.  At the top of the spreadsheet we state that this is a modified 
version and list the modifications as follows:
DOCU-07 (FERPA) added from DATA-30 of full Higher Education Cloud Vendor Assessment Tool (HECVAT)
HIPA01-HIPA32 (HIPAA/PHI) added from full HECVAT
PCID01-PCID12 (PCI) added from full HECVAT

We’re also working with procurement/purchasing, though I’m not 100% certain where this stands.

Steve

Steve Andariese
Security Compliance
Information Technology Services
Northern Arizona University
Flagstaff, Arizona  86011

E-mail: Steve.Andariese () nau edu<mailto:Steve.Andariese () nau edu>
Voice:  928 523-6631
Fax:  928 523 7407

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Josh 
Callahan
Sent: Thursday, February 22, 2018 5:50 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] HECVAT Users List

Here in the CSU we are working to build a consistent process around security reviews of vendors and contracts across 
our campuses.  We are adopting the HECVAT as the standard document we will be asking for from all vendors for many of 
the same reasons that have been listed here.  We went with the full rather than the lite version, because we are only 
using this process for vendors who are storing or processing our protected data and there are questions in the full 
versions we need answered to assess the risk.

Additionally, David Zeichick, a member of our team from Chico has been working on a scoring tool that will take all of 
the yes/no answers from the HECVAT which we've prioritized as high risk and generate a common score report that we can 
then share across to other campuses in our system.   We are willing to share that tool back to the group if others find 
it helpful.

-Josh


On Thu, Feb 22, 2018 at 11:25 AM, Ronald King <ronald.king () morgan edu<mailto:ronald.king () morgan edu>> wrote:
Morgan State has been using it since late last year with mixed results from vendors. Of those that have completed it, 
non have allowed it to be shared. This listing is necessary in my opinion. I could have used it with Tableau some time 
ago as they refused to complete it. We use the full version which usually spurs additional questions and a back and 
forth dialogue. This, to me, is one of the great benefits. A particular vendor we reviewed looked great but was hiring 
a third party for their SOC. So, it gave us the info and communication channel to dig deeper and ask specific questions 
around what the 3rd party had access to.

The idea of incorporating it into the procurement process is a great idea and will be pushing for it here.

Ron

Ronald A. King, CISSP
Chief Information Security Officer
Morgan State University Office: (443) 885-3372<tel:(443)%20885-3372>
1700 E. Cold Spring 
Ln<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmaps.google.com%2F%3Fq%3D1700%2BE.%2BCold%2BSpring%2BLn%26entry%3Dgmail%26source%3Dg&data=02%7C01%7CSteve.Andariese%40NAU.EDU%7Cdc22c127051e4d13332508d57a58ca1d%7C27d49e9f89e14aa099a3d35b57b2ba03%7C0%7C0%7C636549444132443913&sdata=j7PZvSAzOB13nwXghtd0PQ19%2FdpnQGpvfWwL%2BhDlOHU%3D&reserved=0>.
 Email: ronald.king () morgan edu<mailto:ronald.king () morgan edu>
Baltimore, MD 21251 URL: 
http://www.morgan.edu<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.morgan.edu&data=02%7C01%7CSteve.Andariese%40NAU.EDU%7Cdc22c127051e4d13332508d57a58ca1d%7C27d49e9f89e14aa099a3d35b57b2ba03%7C0%7C0%7C636549444132443913&sdata=pCnEXm2jjChRTW4P%2FKyQJ7YIGIV%2FXW%2FlDNNfYLL0g3g%3D&reserved=0>

Growing the future ... Leading the 
world<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.morgan.edu%2FDocuments%2FABOUT%2FStrategicPlan%2FStrategicPlan2011-21_Final.pdf&data=02%7C01%7CSteve.Andariese%40NAU.EDU%7Cdc22c127051e4d13332508d57a58ca1d%7C27d49e9f89e14aa099a3d35b57b2ba03%7C0%7C1%7C636549444132443913&sdata=TDSb61Lo1K259uowTZIHti2LFf5sGOGyrmepg4F2wCk%3D&reserved=0>


On Thu, Feb 22, 2018 at 12:15 PM, Alan Bowen <abowen () fandm edu<mailto:abowen () fandm edu>> wrote:
Modified HECVAT lite, but we’ll accept the non-modified version.

-Alan




On Feb 21, 2018, at 8:46 PM, Ken Connelly <ken.connelly () uni edu<mailto:ken.connelly () uni edu>> wrote:

In general, are you (collective you, not just Mark) using the full-blown
HECVAT or the HECVAT Lite?

- ken

On 2/21/18 4:29 PM, Mark Dieterich wrote:

We've been telling vendors that EDU customers are adopting this, but
haven't had a sense of how widespread the adoption has been. I got the
green light have Brown listed, so we will be adding our name to the list.

When this first came about, there was discussion on developing a
sharing platform where completed HECVATS or the fact that a vendor has
filled out a HECVAT, depending on their wishes, could be listed. Are
there any developments with this? I think we actually have one vendor
who indicated we could share and a few that gave us permission to list
them, it would be great if we could actually do something with these.

Thanks,

Mark

On Wed, Feb 21, 2018 at 1:20 PM, Allen, Jon <Jon_Allen () baylor edu<mailto:Jon_Allen () baylor edu>
<mailto:Jon_Allen () baylor edu>> wrote:

   Hello!



   The 2019 Higher Education Cloud Vendor Assessment Tool (HECVAT)
   working group is devoting effort to getting the word out about
   institutional HECVAT adoption.  We want to create a list of
   institutions that are using the HECVAT to publish on the HECVAT
   web page
   
(https://library.educause.edu/resources/2016/10/higher-education-cloud-vendor-assessment-tool<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.google.com%2Furl%3Fq%3Dhttps%3A%2F%2Flibrary.educause.edu%2Fresources%2F2016%2F10%2Fhigher-education-cloud-vendor-assessment-tool%26sa%3DD%26ust%3D1519160086542000%26usg%3DAFQjCNHtq6sVc7M6Yijyrp-FyIIhP7-g3A&data=01%7C01%7Cjon_allen%40baylor.edu%7C2f31c9f2ae8048feb12908d5789c6998%7C22d2fb35256a459bbcf4dc23d42dc0a4%7C1&sdata=xWyOTuLEnGCCgx273bRaeoOn%2FF5jzLxFimJ28wRO8BQ%3D&reserved=0><https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__library.educause.edu_resources_2016_10_higher-2Deducation-2Dcloud-2Dvendor-2Dassessment-2Dtool-253Chttps-3A__na01.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fwww.google.com-252Furl-253Fq-253Dhttps-253A-252F-252Flibrary.educause.edu-252Fresources-252F2016-252F10-252Fhigher-2Deducation-2Dcloud-2Dvendor-2Dassessment-2Dtool-2526sa-253DD-2526ust-253D1519160086542000-2526usg-253DAFQjCNHtq6sVc7M6Yijyrp-2DFyIIhP7-2Dg3A-26data-3D01-257C01-257Cjon-5Fallen-2540baylor.edu-257C2f31c9f2ae8048feb12908d5789c6998-257C22d2fb35256a459bbcf4dc23d42dc0a4-257C1-26sdata-3DxWyOTuLEnGCCgx273bRaeoOn-252FF5jzLxFimJ28wRO8BQ-253D-26reserved-3D0-253E%26d%3DDwMFaQ%26c%3D0CCt47_3RbNABITTvFzZbA%26r%3DhF9utfnfkGfY793x81M4Gr0nwxs9KYTZ6TUPUh4wPjs%26m%3D4tXVq601XmhDniXOW1kuWpurbC9f9a6M-yc_WadTw3c%26s%3Dzjc34Ie1f_8GKw64KYviImC5uDxr-IqoIItfvnEtpcQ%26e%3D&data=02%7C01%7CSteve.Andariese%40NAU.EDU%7Cdc22c127051e4d13332508d57a58ca1d%7C27d49e9f89e14aa099a3d35b57b2ba03%7C0%7C0%7C636549444132443913&sdata=G5%2Bx9dzwrfTuFpUs%2FLfp55uO8B6YPL5p%2FTnVymE8yvo%3D&reserved=0>).
   The purpose of this list is two-fold: First, to demonstrate HECVAT
   adoption at higher education institutions (so that vendors will
   want to participate in completing a HECVAT). Second, to provide a
   list of HECVAT references (so that institutions can contact their
   peers with HECVAT questions). If you are interested in being
   listed on the webpage in this manner, please fill out this form.
   Institutional names only (not contact information) will be listed
   on the webpage.



   If you would like your institution to be listed in this way,
   please complete our form:



   
https://goo.gl/forms/BJlson23HVDMy1Q63<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgoo.gl%2Fforms%2FBJlson23HVDMy1Q63&data=01%7C01%7Cjon_allen%40baylor.edu%7C2f31c9f2ae8048feb12908d5789c6998%7C22d2fb35256a459bbcf4dc23d42dc0a4%7C1&sdata=BjbsQBbg%2FPZVtOhlWIHMTXXOSHq1TTzBXwqVNMfqoQk%3D&reserved=0><https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__goo.gl_forms_BJlson23HVDMy1Q63-253Chttps-3A__na01.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fgoo.gl-252Fforms-252FBJlson23HVDMy1Q63-26data-3D01-257C01-257Cjon-5Fallen-2540baylor.edu-257C2f31c9f2ae8048feb12908d5789c6998-257C22d2fb35256a459bbcf4dc23d42dc0a4-257C1-26sdata-3DBjbsQBbg-252FPZVtOhlWIHMTXXOSHq1TTzBXwqVNMfqoQk-253D-26reserved-3D0-253E%26d%3DDwMFaQ%26c%3D0CCt47_3RbNABITTvFzZbA%26r%3DhF9utfnfkGfY793x81M4Gr0nwxs9KYTZ6TUPUh4wPjs%26m%3D4tXVq601XmhDniXOW1kuWpurbC9f9a6M-yc_WadTw3c%26s%3DDvnEBRodrVDtQGZrGMLrnsgs2_4m50e6bzCGwFg0JKM%26e%3D&data=02%7C01%7CSteve.Andariese%40NAU.EDU%7Cdc22c127051e4d13332508d57a58ca1d%7C27d49e9f89e14aa099a3d35b57b2ba03%7C0%7C0%7C636549444132443913&sdata=8kVSwglbwsWmv7pA4nHNywIorPro2QCBq9%2F75jvSMF0%3D&reserved=0>



   Thanks,* *

   * *

   *_________________________________*

   *Jon Allen, CISSP, EnCE *

   *Assistant Vice President & *

   *Chief Information Security Officer*

   *Baylor University *

   *254.710.4793<tel:(254)%20710-4793> <tel:%28254%29%20710-4793>*

   * *

   /Users/jon_allen/Library/Containers/com.microsoft.Outlook/Data/Library/Caches/Signatures/signature_1325000890

   /        
//www.baylor.edu/bearaware<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttp-3A__www.baylor.edu_bearaware%26d%3DDwMFaQ%26c%3D0CCt47_3RbNABITTvFzZbA%26r%3DhF9utfnfkGfY793x81M4Gr0nwxs9KYTZ6TUPUh4wPjs%26m%3D4tXVq601XmhDniXOW1kuWpurbC9f9a6M-yc_WadTw3c%26s%3DraX79DvhhpZzTWWKV60qOWbAuWgNCaIipOF5LTBkZFU%26e%3D&data=02%7C01%7CSteve.Andariese%40NAU.EDU%7Cdc22c127051e4d13332508d57a58ca1d%7C27d49e9f89e14aa099a3d35b57b2ba03%7C0%7C0%7C636549444132443913&sdata=%2F0nw%2B%2BuQuivYU9HvBdg%2FOFTCPEZ%2FWnYc4D7JGMsInpY%3D&reserved=0>/<http://www.baylor.edu/bearaware<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttp-3A__www.baylor.edu_bearaware%26d%3DDwMFaQ%26c%3D0CCt47_3RbNABITTvFzZbA%26r%3DhF9utfnfkGfY793x81M4Gr0nwxs9KYTZ6TUPUh4wPjs%26m%3D4tXVq601XmhDniXOW1kuWpurbC9f9a6M-yc_WadTw3c%26s%3DraX79DvhhpZzTWWKV60qOWbAuWgNCaIipOF5LTBkZFU%26e%3D&data=02%7C01%7CSteve.Andariese%40NAU.EDU%7Cdc22c127051e4d13332508d57a58ca1d%7C27d49e9f89e14aa099a3d35b57b2ba03%7C0%7C0%7C636549444132443913&sdata=%2F0nw%2B%2BuQuivYU9HvBdg%2FOFTCPEZ%2FWnYc4D7JGMsInpY%3D&reserved=0>>


--
- Ken
=================================================================
Ken Connelly                       Director, Information Security
Information Security Officer          University of Northern Iowa
email: Ken.Connelly () uni edu<mailto:Ken.Connelly () uni edu>   p: (319) 273-5850<tel:(319)%20273-5850> f: (319) 
273-7373<tel:(319)%20273-7373>

Any request to divulge your UNI password via e-mail is fraudulent!





--
-------------------------------------------------
Josh Callahan
Information Security Officer and CTO
ITS :: Humboldt State University
1 Harpst St. Arcata CA 95521  707.826.3815
Previous By Date Next
Previous By Thread Next

Current thread: