Educause Security Discussion mailing list archives
Re: [External] Re: [SECURITY] HECVAT Tool with Current Vendors
From: Thomas Dugas <dugast () DUQ EDU>
Date: Thu, 23 Jan 2020 15:16:20 +0000
Hello, I am a huge fan of the HECVAT and use it for nearly all our vendor assessments at this point. I even try to do it for the smaller purchases because we had one case where a sub $5000 software package nearly cost us close to a million dollars because we hadn’t done a complete assessment of the vendor’s security, license, and other items. It also has satisfied our auditors as well, as long as we review it, note exceptions, work with the vendor on responses, and validate the tool for use on campus. Each time we go through a new contract or contract renewal we are going through the review to catch up. Vendor’s aren’t happy to do it all the time when they just want a renewal but we advise them that this is a new process and policy at the University. Thanks, Tom Dugas Dugast () duq edu<mailto:Dugast () duq edu> AVP/CISO Duquesne University From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Clark Gaylord Sent: Wednesday, January 22, 2020 8:58 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [External] Re: [SECURITY] HECVAT Tool with Current Vendors For a 6+ digit RFP, HECVAT can be a great focus to a conversation regarding security practices. If you require it of every purchase, your community will find themselves unable to purchase $40 SaaS products and you will be burned in effigy. HECVAT (even it's so-called "lite" version) is a *very* onerous activity for the majority of small cloud vendors, most of whom have predefined services, some of which outside their control, with low marginal revenue per sale (and similarly low risk for you). I do recommend you have conversations with vendors regarding their security practices, and even promote HECVAT as a "community standard", but there is no joy in making it a non-negotiable requirement. I'd require IPv6 before requiring HECVAT; it's more indicative of general cluefulness. -- Clark Gaylord cgaylord () vt edu<mailto:cgaylord () vt edu> ... autocorrect may have improved this message ... On Mon, Jan 13, 2020, 11:40 Ronald Loneker <rloneker () cse edu<mailto:rloneker () cse edu>> wrote: Good Morning - We recently were made aware of, and decided to start using, the HECVAT tool with new vendors we use for future projects. I'm wondering whether we should go back to our current vendors offering cloud applications and have them complete the tool even though we're existing customers. Just asking for thoughts and whether anyone has done this before and gotten a lot of pushback from existing vendors. I think our IT auditors would be pleased if we have this information centralized. Ron Loneker, Jr. Director, IT Special Projects College of Saint Elizabeth Mahoney Library 2 Convent Road Morristown, NJ 07960 Phone: 973-290-4229<tel:973-290-4229> e-mail: rloneker () cse edu<mailto:rloneker () cse edu> CSE's IT department will never ask for your password, social security number or other personal information in an e-mail message. Please do not share any information with others! ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cdugast%40DUQ.EDU%7C0566995a6f524c2308b508d79f432127%7C12c44311cf844e4195c38df690b1eb61%7C0%7C0%7C637152983005819410&sdata=UetOHw9uC%2BMXRq%2FyQZsdKfbzmXgLn9U03qIsdDlxDno%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cdugast%40DUQ.EDU%7C0566995a6f524c2308b508d79f432127%7C12c44311cf844e4195c38df690b1eb61%7C0%7C0%7C637152983005819410&sdata=UetOHw9uC%2BMXRq%2FyQZsdKfbzmXgLn9U03qIsdDlxDno%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- HECVAT Tool with Current Vendors Ronald Loneker (Jan 13)
- Re: HECVAT Tool with Current Vendors Frank Barton (Jan 13)
- Re: HECVAT Tool with Current Vendors Alexandre Adao (Jan 13)
- Re: HECVAT Tool with Current Vendors Cam Beasley (Jan 13)
- Re: [EXTERNAL]Re: [SECURITY] HECVAT Tool with Current Vendors Jason Fried (Jan 13)
- Re: HECVAT Tool with Current Vendors Dennis Bolton (Jan 22)
- Re: HECVAT Tool with Current Vendors Alexandre Adao (Jan 13)
- Re: HECVAT Tool with Current Vendors Madl, Michael (Jan 15)
- Re: HECVAT Tool with Current Vendors Wessam Maher (Jan 22)
- Re: HECVAT Tool with Current Vendors Clark Gaylord (Jan 22)
- Re: [External] Re: [SECURITY] HECVAT Tool with Current Vendors Thomas Dugas (Jan 23)
- Re: HECVAT Tool with Current Vendors Frank Barton (Jan 13)