Re: HECVAT alternative for On-Prem Vendors

[Niranjan Davray <davrayn () KENYON EDU>]

We would also be willing to build/test the on-prem version of the
HECVAT. This is a fantastic idea.
Best,
Niranjan Davray
On Wed, Nov 14, 2018 at 1:55 PM randy <marchany () vt edu> wrote:
> we'd be interested in building/testing the on-prem version of HECVAT.
>
> -Randy Marchany
> VA Tech IT Security Office and Lab
>
> On Wed, Nov 14, 2018 at 11:24 AM Josh Callahan <josh.callahan () humboldt edu> wrote:
> > We're talking a bit in the HECVAT working group about the possibility a third fork for this, maybe call it the 
> > HECVAT-OnPrem.  I did a bit of analysis on the relevant sections and questions counts:
> >
> > Documentation (Full/Lite 6)
> > Company ( Full/Lite   7)
> > Application/Service Security (Full 17) (Lite 6)
> > Authentication, Authorization, and Accounting (Full 17) (Lite 5)
> > Change Management (Full 15) (Lite 4)
> > Database ( Full/Lite   2)
> > Policies, Procedures, and Processes (Full 20) (Lite 4)
> > Product Evaluation (Full 2) (Lite 0)
> > Quality Assurance (Full 5) (Lite 0)
> >
> > Using the full version as a base, we'd end up with an 81 question fork.  One based on the lite would only be 34 
> > questions.  Do you folks have a preference?
> >
> > Anyone interesting in helping build/test a new version of the tool?
> >
> > -Josh
> >
> >
> > On Fri, Nov 9, 2018 at 8:13 AM randy <marchany () vt edu> wrote:
> > > This is our "on-prem" vendor questionnaire that we've used in the past couple of years. It's at 
> > > https://itpals.vt.edu/content/dam/itpals_vt_edu/newitasitedocs/it-procurement/it_security_questionnaire2.pdf. We 
> > > took Notre Dame and IU's original questionnaires and modified them.
> > >
> > > We will be using HECVAT for more  evals in the future..
> > >
> > > Randy Marchany
> > > VA Tech IT Security Office and Lab
> > >
> > >
> > > On Fri, Nov 9, 2018 at 7:24 AM Belsito, Louis D <belsito () rowan edu> wrote:
> > > > I’ve been struggling with this issue as well.  I’ve been using Gartner’s Security and Privacy Vendor Application 
> > > > Evaluation (VSPT Questionnaire) it’s a spreadsheet for basic security and privacy assessment of vendor 
> > > > applications.  It’s not as clean and pretty as the HECVAT.  It’s about 60 questions.
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > ____________________________________
> > > >
> > > >
> > > >
> > > > Lou Belsito, MBA, MISM, CISSP, CISA
> > > >
> > > > Manager, Information Security Risk
> > > >
> > > > Information Security Office
> > > >
> > > > Division of Information Resources & Technology
> > > >
> > > >
> > > >
> > > > Rowan University
> > > >
> > > > 201 Mullica Hill Rd., Glassboro, NJ 08028
> > > >
> > > > T: 856-256-5725
> > > >
> > > > Rowan.edu
> > > >
> > > >
> > > >
> > > > From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Tyler Newell
> > > > Sent: Thursday, November 1, 2018 9:26 AM
> > > > To: SECURITY () LISTSERV EDUCAUSE EDU
> > > > Subject: [SECURITY] HECVAT alternative for On-Prem Vendors
> > > >
> > > >
> > > >
> > > > Community,
> > > >
> > > >
> > > >
> > > > We started using the HECVAT for cloud vendor assessments a little more than a year ago and have been very happy 
> > > > with it especially when a vendor has already filled one out so we aren’t waiting to receive it back.
> > > >
> > > >
> > > >
> > > > That said, we’ve had contract expirations for some of our on-premise vendors and wanted to run them through a 
> > > > similar process to properly assess their product(s). I wasn’t able to find a standardized assessment questionnaire 
> > > > like the HECVAT when it comes to on-premise, so I thought I would reach out to see if anyone had a document 
> > > > already created that they are willing to share.
> > > >
> > > >
> > > >
> > > > I appreciate your time for reading this.
> > > >
> > > >
> > > >
> > > > Thank you,
> > > >
> > > >
> > > >
> > > > //SIGNED//
> > > >
> > > > Tyler Newell, Information Security Analyst
> > > >
> > > > Bowling Green State University | Information Technology Services
> > > >
> > > > P: 419.372.0999 | tnewell () bgsu edu | www.bgsu.edu/infosec
> > > >
> > > >
> > > >
> > > > This e-mail, including any attachments, may contain information that is protected by law as privileged and 
> > > > confidential, and is transmitted for the sole use of the intended recipient.  If you are not the intended 
> > > > recipient, you are hereby notified that any use, dissemination, copying or retention of this e-mail or the 
> > > > information contained herein is strictly prohibited.
> >
> >
> >
> > --
> > -------------------------------------------------
> > Josh Callahan
> > Information Security Officer and CTO
> > ITS :: Humboldt State University
> > 1 Harpst St. Arcata CA 95521  707.826.3815



-- 
Niranjan Davray
Director of Information Technology Services
Kenyon College
1 740 427 5847