Educause Security Discussion mailing list archives
Re: [External] Re: [SECURITY] HECVAT and HECVAT lite Threshold
From: Alex Lindstrom <aglind () UDEL EDU>
Date: Fri, 28 Jun 2019 10:39:58 -0400
All, At Delaware, we view the HECVAT responses as a collection of data points among many others, to include audit reports, strength of contractual language, technical documentation, SOWs, SLAs, and so on. We broaden the context to the entirety of the vendor's proposal package, and so we don't necessarily attempt to create scoring thresholds that would gatekeep vendors based on HECVAT responses alone. To that end, we don't really use the analyst report. Rather, we review the answers themselves with particular attention to specific questions (including audit reports, SSO integration, data encryption). Some questions are not as critical to the vendor's security posture, and, to Charlie's point, each institution puts emphasis on certain controls and not so much on others. Most importantly, we evaluate HECVAT responses in the context of our understanding of the service's risk based on an internal intake questionnaire, which the requesting unit submits as part of their service request. The questionnaire addresses issues such as the classification of the data involved, criticality of the service to unit/University operations, general types of risks (breach of PII, regulatory penalties, theft of intellectual property, etc.), and nature of the implementation (on prem, cloud). This analysis informs our negotiations with the vendor, including contract redlines for security-related terms (security program, confidentiality, breach provisions, audit reports) and project planning items (SOWs, project plans). My experience is that cloud services are so disparate that they cannot be effectively "scored" in a vacuum. Even with an analyst weighting specific questions to calculate an overall score, that score needs context in order to have value. Institutions have to consider intended use, data involved, integrations planned, and associated risk in order to make more informed decisions about a cloud service. A vendor providing web management services may be addressed more leniently than one requesting ERP integrations, and one contractually promising annual copies of SSAE 16 SOC 2s or SOC 3s will be viewed more favorably than one that offers no security terms whatsoever. Best, ----- Alex Lindstrom IT Security Analyst II UD IT Security (302) 831-4823 https://www.udel.edu/security/ <https://www1.udel.edu/security/> https://sites.udel.edu/threat/ On Fri, Jun 28, 2019 at 10:24 AM Escue, Charles E <cescue () iu edu> wrote:
Zeshan, Darlene, and others, It is great to see these questions being asked and hopefully I can shed some light on the current intent of the scoring. I am a member of the HEISC working group that develops the HECVAT (and more) and can give some background here. The newly introduced scoring system (found in version 2.00 and later) is an educated-guess baseline set by the working group just to "start somewhere". The question- and section-based scoring will be assessed over the next year and adjusted as needed - these changes will be driven by the community so feedback is welcome! Come to EDUCAUSE conferences and come speak with the working group and others in the community - there are many of us doing this same thing and we want to help! At this point, we do not really know the baseline of “good” - it could be 80, 70, or even a lower score, depending on your use case of the product/service/platform. The “passing score” is based on the use case of the data being shared and the risk tolerance of your organization. This is still a subjective part of the process and will always be. That said, the working group is working to better document the how/what/why’s of the HECVAT process to better assist the community with its adoption. Over time, we (as in the royal we) can begin to compare the scores across vendors and adjust our expectations and/or scoring as needed. Right now, the scoring provides a quick snapshot of the products security state that helps analysts prioritize their follow-up question and/or research. At Indiana University, we use the analyst-populated Analyst Report score as the starting point of assessment, not just the score that comes straight from the vendor. There are some questions in the Lite and Full versions of the HECVAT that must remain qualitative in nature, so the Analyst Report tab provides a mechanism to convert the qualitative value to a quantitative value - that is what it was designed for. Once the Analyst Report values are populated by your institution's reviewer (analyst), the actual “base score” is revealed. At that point, deficient areas of security are further scrutinized by the analysts. One tip: HECVAT questions are not equally valued by every institution. What is acceptable by one institution may not be for another, based on their risk tolerance and their institutions data classifications. Because of that, it will be difficult to define commodity “passing scores” that are useful for all institutions, but we can try! Charlie *Charles Escue, CISSP, GCIH* Manager, Extended Information Security University Information Security Office Indiana University On Jun 27, 2019, at 18:23, Quackenbush, Darlene H - quackedh < quackedh () JMU EDU> wrote: This message was sent from a non-IU address. Please exercise caution when clicking links or opening attachments from external sources. Zeshan and others, I certainly don’t want to distract from your original question. But as others respond, I would also be interested to know what weight/consideration you give to the scoring and how reliable you find it to be across various submissions. At JMU we have not attempted to set a “passing score” and instead use the scores only as a jumping off point to evaluate the HECVAT response. Just wonder what we might be missing. Regards, --dq *Darlene H. Quackenbush* *James Madison University* Information Technology MCS 5733 Harrisonburg, VA 22801 540.568.3905 *From:* The EDUCAUSE Security Community Group Listserv < SECURITY () LISTSERV EDUCAUSE EDU> *On Behalf Of *Zeshan Siddiqui *Sent:* Thursday, June 27, 2019 5:30 PM *To:* SECURITY () LISTSERV EDUCAUSE EDU *Subject:* [SECURITY] HECVAT and HECVAT lite Threshold Hello We are in the process of setting our HECVAT and HECVAT LITE threshold (analyst Tab). I am looking for how and what you set your passing score for each is and how you came to that decision. Kindest regards, Zeshan Zeshan Siddiqui Information Technology Pima Community College District Office (520) 206-4579 ~ If what you did yesterday seems big to you today, then you have not done anything today.
Current thread:
- HECVAT and HECVAT lite Threshold Zeshan Siddiqui (Jun 27)
- Re: HECVAT and HECVAT lite Threshold Quackenbush, Darlene H - quackedh (Jun 27)
- Re: [External] Re: [SECURITY] HECVAT and HECVAT lite Threshold Escue, Charles E (Jun 28)
- Re: [External] Re: [SECURITY] HECVAT and HECVAT lite Threshold Alex Lindstrom (Jun 28)
- Re: [External] Re: [SECURITY] HECVAT and HECVAT lite Threshold Escue, Charles E (Jun 28)
- Re: HECVAT and HECVAT lite Threshold Quackenbush, Darlene H - quackedh (Jun 27)