Re: [External] Re: [SECURITY] HECVAT and HECVAT lite Threshold

[Alex Lindstrom <aglind () UDEL EDU>]

 All,

At Delaware, we view the HECVAT responses as a collection of data points
among many others, to include audit reports, strength of contractual
language, technical documentation, SOWs, SLAs, and so on. We broaden the
context to the entirety of the vendor's proposal package, and so we don't
necessarily attempt to create scoring thresholds that would gatekeep
vendors based on HECVAT responses alone.

To that end, we don't really use the analyst report. Rather, we review the
answers themselves with particular attention to specific questions
(including audit reports, SSO integration, data encryption). Some questions
are not as critical to the vendor's security posture, and, to Charlie's
point, each institution puts emphasis on certain controls and not so much
on others.

Most importantly, we evaluate HECVAT responses in the context of our
understanding of the service's risk based on an internal intake
questionnaire, which the requesting unit submits as part of their service
request. The questionnaire addresses issues such as the classification of
the data involved, criticality of the service to unit/University
operations, general types of risks (breach of PII, regulatory penalties,
theft of intellectual property, etc.), and nature of the implementation (on
prem, cloud). This analysis informs our negotiations with the vendor,
including contract redlines for security-related terms (security program,
confidentiality, breach provisions, audit reports) and project planning
items (SOWs, project plans).

My experience is that cloud services are so disparate that they cannot be
effectively "scored" in a vacuum. Even with an analyst weighting specific
questions to calculate an overall score, that score needs context in order
to have value. Institutions have to consider intended use, data involved,
integrations planned, and associated risk in order to make more informed
decisions about a cloud service. A vendor providing web management services
may be addressed more leniently than one requesting ERP integrations, and
one contractually promising annual copies of SSAE 16 SOC 2s or SOC 3s will
be viewed more favorably than one that offers no security terms whatsoever.

Best,

-----

Alex Lindstrom

IT Security Analyst II
UD IT Security

(302) 831-4823
https://www.udel.edu/security/ <https://www1.udel.edu/security/>
https://sites.udel.edu/threat/


On Fri, Jun 28, 2019 at 10:24 AM Escue, Charles E <cescue () iu edu> wrote:

> Zeshan, Darlene, and others,
>
> It is great to see these questions being asked and hopefully I can shed
> some light on the current intent of the scoring. I am a member of the HEISC
> working group that develops the HECVAT (and more) and can give some
> background here.
>
> The newly introduced scoring system (found in version 2.00 and later) is
> an educated-guess baseline set by the working group just to "start
> somewhere". The question- and section-based scoring will be assessed over
> the next year and adjusted as needed - these changes will be driven by the
> community so feedback is welcome! Come to EDUCAUSE conferences and come
> speak with the working group and others in the community - there are many
> of us doing this same thing and we want to help!
>
> At this point, we do not really know the baseline of “good” - it could be
> 80, 70, or even a lower score, depending on your use case of the
> product/service/platform. The “passing score” is based on the use case of
> the data being shared and the risk tolerance of your organization. This is
> still a subjective part of the process and will always be. That said, the
> working group is working to better document the how/what/why’s of the
> HECVAT process to better assist the community with its adoption.
>
> Over time, we (as in the royal we) can begin to compare the scores across
> vendors and adjust our expectations and/or scoring as needed.  Right now,
> the scoring provides a quick snapshot of the products security state that
> helps analysts prioritize their follow-up question and/or research.
>
> At Indiana University, we use the analyst-populated Analyst Report score
> as the starting point of assessment, not just the score that comes straight
> from the vendor. There are some questions in the Lite and Full versions of
> the HECVAT that must remain qualitative in nature, so the Analyst Report
> tab provides a mechanism to convert the qualitative value to a quantitative
> value - that is what it was designed for. Once the Analyst Report values
> are populated by your institution's reviewer (analyst), the actual “base
> score” is revealed. At that point, deficient areas of security are further
> scrutinized by the analysts.
>
> One tip: HECVAT questions are not equally valued by every institution.
> What is acceptable by one institution may not be for another, based on
> their risk tolerance and their institutions data classifications. Because
> of that, it will be difficult to define commodity “passing scores” that are
> useful for all institutions, but we can try!
>
>
> Charlie
>
>
> *Charles Escue, CISSP, GCIH*
> Manager, Extended Information Security
> University Information Security Office
> Indiana University
>
>
>
> On Jun 27, 2019, at 18:23, Quackenbush, Darlene H - quackedh <
> quackedh () JMU EDU> wrote:
>
> This message was sent from a non-IU address. Please exercise caution when
> clicking links or opening attachments from external sources.
>
> Zeshan and others,
>
> I certainly don’t want to distract from your original question.  But as
> others respond, I would also be interested to know what
> weight/consideration you give to the scoring and how reliable you find it
> to be across various submissions.
>
> At JMU we have not attempted to set a “passing score” and instead use the
> scores only as a jumping off point to evaluate the HECVAT response.  Just
> wonder what we might be missing.
>
> Regards,
> --dq
>
>
>
> *Darlene H. Quackenbush*
> *James Madison University*
> Information Technology
> MCS 5733
> Harrisonburg, VA 22801
> 540.568.3905
>
>
>
>
>
>
> *From:* The EDUCAUSE Security Community Group Listserv <
> SECURITY () LISTSERV EDUCAUSE EDU> *On Behalf Of *Zeshan Siddiqui
> *Sent:* Thursday, June 27, 2019 5:30 PM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* [SECURITY] HECVAT and HECVAT lite Threshold
>
> Hello
>
> We are in the process of setting our HECVAT and HECVAT LITE threshold
> (analyst Tab).
>
> I am looking for how and what you set your passing score for each is and
> how you came to that decision.
>
>
> Kindest regards,
>
> Zeshan
>
> Zeshan Siddiqui
> Information Technology
> Pima Community College
> District Office
> (520) 206-4579
>
>
> ~ If what you did yesterday seems big to you today, then you have not done
> anything today.