Re: Salesforce and HECVAT

[Brad Judy <brad.judy () CU EDU>]

I encourage anyone looking at third-party assessments to check the Cloud Security Alliance STAR registry 
(https://cloudsecurityalliance.org/star/registry/). This is where vendors can either self-assess or have a third-party 
assess their compliance to Cloud Security Alliance controls (which are at the core of HECVAT).  There are hundreds of 
companies who have posted self-assessments or third-party assessments.

In this case, SalesForce has completed a self-assessment of the Cloud Controls Matrix and posted it in the registry: 
https://cloudsecurityalliance.org/star/registry/salesforce-com-inc/

Brad Judy

Information Security Officer
Office of Information Security
University of Colorado
1800 Grant Street, Suite 300
Denver, CO  80203
Office: (303) 860-4293
Fax: (303) 860-4302
www.cu.edu<http://www.cu.edu/>

[cu-logo_fl]


From: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Carrie Shumaker <shumakr () UMICH EDU>
Reply-To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
Date: Tuesday, November 13, 2018 at 8:15 PM
To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] Salesforce and HECVAT

Hi all,

I'm working on what data to allow into Salesforce. My two big areas of question are SSN and GLBA data (student loan 
data).

Two questions:
1. Has anyone talked with Salesforce about completing a HECVAT, or had success with them answering a similar 
questionnaire? (And if so, can you share?)

2. Asked another way: would you store SSN / GLBA data in Salesforce? Why or why not?

Thanks
Carrie

--
Carrie Shumaker
Director of Information Technology, Strategy, and Operations
Chief Information Officer
University of Michigan - Dearborn
4901 Evergreen Road
Dearborn, MI 48128
Ph: 313-593-5113
shumakr () umich edu<mailto:shumakr () umich edu>
umdearborn.edu<http://umdearborn.edu>

[Image removed by sender.]