Educause Security Discussion mailing list archives

Re: HECVAT - Vendor Refusal

From: Ruth Ginzberg <rginzberg () UWSA EDU>
Date: Tue, 15 Jun 2021 13:32:18 +0000

I give vendors the choice of HECVAT, HECVAT Lite or CAIQ but if they refuse to submit any of those then they are 
excluded from  further consideration as a supplier for (whatever the current procurement is for).

Ruth Ginzberg
Sr. I.T. Procurement Specialist
660 W. Washington Avenue, Suite 201
Madison, WI 53703
608-890-3961 | wisconsin.edu<https://www.wisconsin.edu/>
[UW System Logo]
[All In Wisconsin]
[cid:image004.png@01D761C0.F3971960]<https://twitter.com/uwsystem>
[cid:image005.png@01D761C0.F3971960]<https://www.facebook.com/uwsystem>


From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Menne, Michael S
Sent: Tuesday, June 15, 2021 8:29 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] HECVAT - Vendor Refusal


*External Email: Use caution responding, opening attachments, or clicking on links.*
For those that have used the HECVAT and HECVATlite, what has your response been to a vendor who refuses to fill out the 
full HECVAT and claims that HECVAT is only required for “sensitive data” (SSN, CC#, etc.)?

We have used the HECVAT lite only for situations where the data is completely public.  In all other situations, we’ve 
used the HECVAT. Most vendors take a few attempts to get the answers we are looking for, but I’ve only had one other 
that has said they won’t fill it out at all.

Thank you,

Michael Menne, CISSP
Chief Information Security Officer
IT Solutions Information Security
Minnesota State University, Mankato
https://mankato.mnsu.edu/cyberaware

[signature_1581601845]

Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended 
recipient(s) and may contain confidential and privileged information.  Any unauthorized review, use, disclosure or 
distribution is prohibited.  If you are not the intended recipient, please contact the sender by reply e-mail and 
destroy all copies of the original message.



**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Current thread:

HECVAT - Vendor Refusal Menne, Michael S (Jun 15)
- Re: HECVAT - Vendor Refusal Ruth Ginzberg (Jun 15)
- <Possible follow-ups>
- Re: HECVAT - Vendor Refusal Isaac Straley (Jun 15)
  - Re: HECVAT - Vendor Refusal Ruth Ginzberg (Jun 15)
    - Re: HECVAT - Vendor Refusal Kimmitt, Jonathan (Jun 15)
    - Re: HECVAT - Vendor Refusal Menne, Michael S (Jun 15)
    - Re: HECVAT - Vendor Refusal Powell, Andy (Jun 15)
    - Re: HECVAT - Vendor Refusal McClenon, Brady (Jun 15)
    - Re: HECVAT - Vendor Refusal Kimmitt, Jonathan (Jun 15)
    - Re: HECVAT - Vendor Refusal Kimmitt, Jonathan (Jun 15)
    - Re: HECVAT - Vendor Refusal King, Ronald A. (Jun 15)
    - Re: HECVAT - Vendor Refusal Kevin Cleary (Jun 15)

(Thread continues...)