Educause Security Discussion mailing list archives

Re: HECVAT Tool with Current Vendors

From: Clark Gaylord <cgaylord () VT EDU>
Date: Wed, 22 Jan 2020 08:57:56 -0500

For a 6+ digit RFP, HECVAT can be a great focus to a conversation regarding
security practices.

If you require it of every purchase, your community will find themselves
unable to purchase $40 SaaS products and you will be burned in effigy.
HECVAT (even it's so-called "lite" version) is a *very* onerous activity
for the majority of small cloud vendors, most of whom have predefined
services, some of which outside their control, with low marginal revenue
per sale (and similarly low risk for you).

I do recommend you have conversations with vendors regarding their security
practices, and even promote HECVAT as a "community standard", but there is
no joy in making it a non-negotiable requirement.

I'd require IPv6 before requiring HECVAT; it's more indicative of general
cluefulness.


--
Clark Gaylord
cgaylord () vt edu
... autocorrect may have improved this message ...

On Mon, Jan 13, 2020, 11:40 Ronald Loneker <rloneker () cse edu> wrote:

Good Morning -

We recently were made aware of, and decided to start using, the HECVAT
tool with new vendors we use for future projects.

I'm wondering whether we should go back to our current vendors offering
cloud applications and have them complete the tool even though we're
existing customers.

Just asking for thoughts and whether anyone has done this before and
gotten a lot of pushback from existing vendors.

I think our IT auditors would be pleased if we have this information
centralized.

Ron Loneker, Jr.
Director, IT Special Projects
College of Saint Elizabeth
Mahoney Library
2 Convent Road
Morristown, NJ  07960

Phone:  973-290-4229

e-mail:  rloneker () cse edu



*CSE's IT department will never ask for your password, social security
number or other personal information in an e-mail message.*
*Please do not share any information with others!*





**********
Replies to EDUCAUSE Community Group emails are sent to the entire
community list. If you want to reply only to the person who sent the
message, copy and paste their email address and forward the email reply.
Additional participation and subscription information can be found at
https://www.educause.edu/community


**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Current thread:

HECVAT Tool with Current Vendors Ronald Loneker (Jan 13)
- Re: HECVAT Tool with Current Vendors Frank Barton (Jan 13)
  - Re: HECVAT Tool with Current Vendors Alexandre Adao (Jan 13)
    - Re: HECVAT Tool with Current Vendors Cam Beasley (Jan 13)
  - Re: [EXTERNAL]Re: [SECURITY] HECVAT Tool with Current Vendors Jason Fried (Jan 13)
  - Re: HECVAT Tool with Current Vendors Dennis Bolton (Jan 22)
- Re: HECVAT Tool with Current Vendors Madl, Michael (Jan 15)
  - Re: HECVAT Tool with Current Vendors Wessam Maher (Jan 22)
- Re: HECVAT Tool with Current Vendors Clark Gaylord (Jan 22)
  - Re: [External] Re: [SECURITY] HECVAT Tool with Current Vendors Thomas Dugas (Jan 23)