Educause Security Discussion mailing list archives
Re: [External] Re: [SECURITY] HECVAT and HECVAT lite Threshold
From: "Escue, Charles E" <cescue () IU EDU>
Date: Fri, 28 Jun 2019 14:24:18 +0000
Zeshan, Darlene, and others, It is great to see these questions being asked and hopefully I can shed some light on the current intent of the scoring. I am a member of the HEISC working group that develops the HECVAT (and more) and can give some background here. The newly introduced scoring system (found in version 2.00 and later) is an educated-guess baseline set by the working group just to "start somewhere". The question- and section-based scoring will be assessed over the next year and adjusted as needed - these changes will be driven by the community so feedback is welcome! Come to EDUCAUSE conferences and come speak with the working group and others in the community - there are many of us doing this same thing and we want to help! At this point, we do not really know the baseline of “good” - it could be 80, 70, or even a lower score, depending on your use case of the product/service/platform. The “passing score” is based on the use case of the data being shared and the risk tolerance of your organization. This is still a subjective part of the process and will always be. That said, the working group is working to better document the how/what/why’s of the HECVAT process to better assist the community with its adoption. Over time, we (as in the royal we) can begin to compare the scores across vendors and adjust our expectations and/or scoring as needed. Right now, the scoring provides a quick snapshot of the products security state that helps analysts prioritize their follow-up question and/or research. At Indiana University, we use the analyst-populated Analyst Report score as the starting point of assessment, not just the score that comes straight from the vendor. There are some questions in the Lite and Full versions of the HECVAT that must remain qualitative in nature, so the Analyst Report tab provides a mechanism to convert the qualitative value to a quantitative value - that is what it was designed for. Once the Analyst Report values are populated by your institution's reviewer (analyst), the actual “base score” is revealed. At that point, deficient areas of security are further scrutinized by the analysts. One tip: HECVAT questions are not equally valued by every institution. What is acceptable by one institution may not be for another, based on their risk tolerance and their institutions data classifications. Because of that, it will be difficult to define commodity “passing scores” that are useful for all institutions, but we can try! Charlie Charles Escue, CISSP, GCIH Manager, Extended Information Security University Information Security Office Indiana University
On Jun 27, 2019, at 18:23, Quackenbush, Darlene H - quackedh <quackedh () JMU EDU> wrote: This message was sent from a non-IU address. Please exercise caution when clicking links or opening attachments from external sources. Zeshan and others, I certainly don’t want to distract from your original question. But as others respond, I would also be interested to know what weight/consideration you give to the scoring and how reliable you find it to be across various submissions. At JMU we have not attempted to set a “passing score” and instead use the scores only as a jumping off point to evaluate the HECVAT response. Just wonder what we might be missing. Regards, --dq Darlene H. Quackenbush James Madison University Information Technology MCS 5733 Harrisonburg, VA 22801 540.568.3905 From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Zeshan Siddiqui Sent: Thursday, June 27, 2019 5:30 PM To: SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] HECVAT and HECVAT lite Threshold Hello We are in the process of setting our HECVAT and HECVAT LITE threshold (analyst Tab). I am looking for how and what you set your passing score for each is and how you came to that decision. Kindest regards, Zeshan Zeshan Siddiqui Information Technology Pima Community College District Office (520) 206-4579 ~ If what you did yesterday seems big to you today, then you have not done anything today.
Attachment:
smime.p7s
Description:
Current thread:
- HECVAT and HECVAT lite Threshold Zeshan Siddiqui (Jun 27)
- Re: HECVAT and HECVAT lite Threshold Quackenbush, Darlene H - quackedh (Jun 27)
- Re: [External] Re: [SECURITY] HECVAT and HECVAT lite Threshold Escue, Charles E (Jun 28)
- Re: [External] Re: [SECURITY] HECVAT and HECVAT lite Threshold Alex Lindstrom (Jun 28)
- Re: [External] Re: [SECURITY] HECVAT and HECVAT lite Threshold Escue, Charles E (Jun 28)
- Re: HECVAT and HECVAT lite Threshold Quackenbush, Darlene H - quackedh (Jun 27)