Educause Security Discussion mailing list archives
Due Diligence, vendor assessments, etc.
From: Frank Barton <bartonf () HUSSON EDU>
Date: Tue, 30 Apr 2019 09:12:56 -0400
Good morning folks, I've been following the discussions around the HECVAT, and was wondering if there anybody was using a similar type of assessment tool/checklist when selecting vendors for physical/on-prem devices. Specifically for devices that might be considered "IoT" or other "black-box" type devices where we as the end-user/admin have somewhat limited access to the underlying systems some of the devices that have recently come across my radar for this type of assessment include - Security Cameras - Access Control Systems/Networked Locks - HVAC/Building controls - Electrical monitoring equipment - Digital signage - Medical Equipment Some of the questions that have come up for us include: - Lifecycle (end-of-sale, end-of-life, end-of-support) questions - availability of firmware/security updates - process for updating firmware (manual, automatic, OTA, serial/usb, etc.) - notification of update availability - ability to factory reset - what data is stored on device - remote support capabilities - remote support tunnels Thank You all Frank -- Frank Barton, MBA Security+, ACMT, MCP IT Systems Administrator Husson University
Current thread:
- Due Diligence, vendor assessments, etc. Frank Barton (Apr 30)