Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: HECVAT alternative for On-Prem Vendors

From: randy <marchany () VT EDU>
Date: Wed, 14 Nov 2018 13:55:11 -0500
we'd be interested in building/testing the on-prem version of HECVAT.

-Randy Marchany
VA Tech IT Security Office and Lab

On Wed, Nov 14, 2018 at 11:24 AM Josh Callahan <josh.callahan () humboldt edu>
wrote:


We're talking a bit in the HECVAT working group about the possibility a
third fork for this, maybe call it the HECVAT-OnPrem.  I did a bit of
analysis on the relevant sections and questions counts:

Documentation (Full/Lite 6)
Company ( Full/Lite   7)
Application/Service Security (Full 17) (Lite 6)
Authentication, Authorization, and Accounting (Full 17) (Lite 5)
Change Management (Full 15) (Lite 4)
Database ( Full/Lite   2)
Policies, Procedures, and Processes (Full 20) (Lite 4)
Product Evaluation (Full 2) (Lite 0)
Quality Assurance (Full 5) (Lite 0)

Using the full version as a base, we'd end up with an 81 question fork.
One based on the lite would only be 34 questions.  Do you folks have a
preference?

Anyone interesting in helping build/test a new version of the tool?

-Josh


On Fri, Nov 9, 2018 at 8:13 AM randy <marchany () vt edu> wrote:


This is our "on-prem" vendor questionnaire that we've used in the past
couple of years. It's at
https://itpals.vt.edu/content/dam/itpals_vt_edu/newitasitedocs/it-procurement/it_security_questionnaire2.pdf.
We took Notre Dame and IU's original questionnaires and modified them.

We will be using HECVAT for more  evals in the future..

Randy Marchany
VA Tech IT Security Office and Lab


On Fri, Nov 9, 2018 at 7:24 AM Belsito, Louis D <belsito () rowan edu>
wrote:


I’ve been struggling with this issue as well.  I’ve been using Gartner’s
Security and Privacy Vendor Application Evaluation (VSPT Questionnaire)
it’s a spreadsheet for basic security and privacy assessment of vendor
applications.  It’s not as clean and pretty as the HECVAT.  It’s about 60
questions.





*____________________________________*



*Lou Belsito, MBA, MISM, CISSP, CISA*

Manager, Information Security Risk

Information Security Office

Division of Information Resources & Technology



Rowan University

201 Mullica Hill Rd., Glassboro, NJ 08028

T: 856-256-5725

Rowan.edu



*From:* The EDUCAUSE Security Community Group Listserv <
SECURITY () LISTSERV EDUCAUSE EDU> *On Behalf Of *Tyler Newell
*Sent:* Thursday, November 1, 2018 9:26 AM
*To:* SECURITY () LISTSERV EDUCAUSE EDU
*Subject:* [SECURITY] HECVAT alternative for On-Prem Vendors



Community,



We started using the HECVAT for cloud vendor assessments a little more
than a year ago and have been very happy with it especially when a vendor
has already filled one out so we aren’t waiting to receive it back.



That said, we’ve had contract expirations for some of our on-premise
vendors and wanted to run them through a similar process to properly assess
their product(s). I wasn’t able to find a standardized assessment
questionnaire like the HECVAT when it comes to on-premise, so I thought I
would reach out to see if anyone had a document already created that they
are willing to share.



I appreciate your time for reading this.



Thank you,



//SIGNED//

Tyler Newell, Information Security Analyst

Bowling Green State University | Information Technology Services

P: 419.372.0999 | tnewell () bgsu edu | www.bgsu.edu/infosec



This e-mail, including any attachments, may contain information that is
protected by law as privileged and confidential, and is transmitted for the
sole use of the intended recipient.  If you are not the intended recipient,
you are hereby notified that any use, dissemination, copying or retention
of this e-mail or the information contained herein is strictly prohibited.







--
-------------------------------------------------
Josh Callahan
Information Security Officer and CTO
ITS :: Humboldt State University
1 Harpst St. Arcata CA 95521  707.826.3815
Previous By Date Next
Previous By Thread Next

Current thread: