HECVAT - Vendor Refusal

["Menne, Michael S" <000002306ce3cd04-dmarc-request () LISTSERV EDUCAUSE EDU>]

For those that have used the HECVAT and HECVATlite, what has your response been to a vendor who refuses to fill out the 
full HECVAT and claims that HECVAT is only required for “sensitive data” (SSN, CC#, etc.)?

We have used the HECVAT lite only for situations where the data is completely public.  In all other situations, we’ve 
used the HECVAT. Most vendors take a few attempts to get the answers we are looking for, but I’ve only had one other 
that has said they won’t fill it out at all.

Thank you,

Michael Menne, CISSP
Chief Information Security Officer
IT Solutions Information Security
Minnesota State University, Mankato
https://mankato.mnsu.edu/cyberaware

[signature_1581601845]

Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended 
recipient(s) and may contain confidential and privileged information.  Any unauthorized review, use, disclosure or 
distribution is prohibited.  If you are not the intended recipient, please contact the sender by reply e-mail and 
destroy all copies of the original message.



**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community