Re: [External] Re: [SECURITY] HECVAT Tool with Current Vendors

[Thomas Dugas <dugast () DUQ EDU>]

Hello,
I am a huge fan of the HECVAT and use it for nearly all our vendor assessments at this point. I even try to do it for 
the smaller purchases because we had one case where a sub $5000 software package nearly cost us close to a million 
dollars because we hadn’t done a complete assessment of the vendor’s security, license, and other items.

It also has satisfied our auditors as well, as long as we review it, note exceptions, work with the vendor on 
responses, and validate the tool for use on campus. Each time we go through a new contract or contract renewal we are 
going through the review to catch up. Vendor’s aren’t happy to do it all the time when they just want a renewal but we 
advise them that this is a new process and policy at the University.

Thanks,


Tom Dugas
Dugast () duq edu<mailto:Dugast () duq edu>
AVP/CISO
Duquesne University

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Clark Gaylord
Sent: Wednesday, January 22, 2020 8:58 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [External] Re: [SECURITY] HECVAT Tool with Current Vendors

For a 6+ digit RFP, HECVAT can be a great focus to a conversation regarding security practices.

If you require it of every purchase, your community will find themselves unable to purchase $40 SaaS products and you 
will be burned in effigy. HECVAT (even it's so-called "lite" version) is a *very* onerous activity for the majority of 
small cloud vendors, most of whom have predefined services, some of which outside their control, with low marginal 
revenue per sale (and similarly low risk for you).

I do recommend you have conversations with vendors regarding their security practices, and even promote HECVAT as a 
"community standard", but there is no joy in making it a non-negotiable requirement.

I'd require IPv6 before requiring HECVAT; it's more indicative of general cluefulness.


--
Clark Gaylord
cgaylord () vt edu<mailto:cgaylord () vt edu>
... autocorrect may have improved this message ...

On Mon, Jan 13, 2020, 11:40 Ronald Loneker <rloneker () cse edu<mailto:rloneker () cse edu>> wrote:
Good Morning -

We recently were made aware of, and decided to start using, the HECVAT tool with new vendors we use for future projects.

I'm wondering whether we should go back to our current vendors offering cloud applications and have them complete the 
tool even though we're existing customers.

Just asking for thoughts and whether anyone has done this before and gotten a lot of pushback from existing vendors.

I think our IT auditors would be pleased if we have this information centralized.

Ron Loneker, Jr.
Director, IT Special Projects
College of Saint Elizabeth
Mahoney Library
2 Convent Road
Morristown, NJ  07960

Phone:  973-290-4229<tel:973-290-4229>

e-mail:  rloneker () cse edu<mailto:rloneker () cse edu>


CSE's IT department will never ask for your password, social security number or other personal information in an e-mail 
message.

Please do not share any information with others!






**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cdugast%40DUQ.EDU%7C0566995a6f524c2308b508d79f432127%7C12c44311cf844e4195c38df690b1eb61%7C0%7C0%7C637152983005819410&sdata=UetOHw9uC%2BMXRq%2FyQZsdKfbzmXgLn9U03qIsdDlxDno%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cdugast%40DUQ.EDU%7C0566995a6f524c2308b508d79f432127%7C12c44311cf844e4195c38df690b1eb61%7C0%7C0%7C637152983005819410&sdata=UetOHw9uC%2BMXRq%2FyQZsdKfbzmXgLn9U03qIsdDlxDno%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community