Re: HECVAT help

[Christian Schreiber <chris () CSCHREIBER LLC>]

Vince - I would always push for a SOC 2 / Type 2 first. If they have mature processes they should be able to readily 
produce their current version. The HECVAT is a good option if they don't have a report from their auditor, but I'd also 
view the lack of a SOC report as a red flag about the maturity of their internal controls and security program.

Keep in mind the SOC 2 / Type 2 is attesting to the efficacy of their controls over a 12 month period, so it's not 
unusual to see one that was produced around a year earlier. I'd ask the vendor point blank when they'll have their 
updated report available. It could mean they're remediation something before finalizing the report, or they may have 
decided to let the whole process lapse. You're within your right as a customer to find out so you can make an informed 
decision about the risk of working with them.

Similarly, if the HECVAT is a year old I'd push for updated verification from them that their answers are still 
relevant.

Hope that helps.
- Chris


---
Christian Schreiber, CISM, PMP

Office: 520.497.3614
Email: chris () cschreiber llc
Web: www.cschreiber.llc

C Schreiber LLC
Simplify your university cybersecurity strategy

Sent from a mobile device. Please excuse any typos.
________________________________
From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Vince Bonura 
<vbonura () FORDHAM EDU>
Sent: Monday, September 13, 2021 3:51:59 PM
To: SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] HECVAT help


George,



Your post is timely! I just attended a HECVAT Working Group meeting and wanted to ask a related question.



I joined the workgroup with hopes of gaining an understanding of the HECVAT and how it should be used. While I know the 
basic concept, I am just now reading my first vendor completed HECVAT that I received last Thursday.



The question I wanted to ask is: What’s the comparison between a SOC2, Type 2 and the HECVAT?



I originally requested a SOC2, Type 2 report from the vendor and received one dated 6/30/20. When I asked for a current 
copy, I was told that they completed a HECVAT and would supply that. The HECVAT I received from the vendor is dated 
6/22/20.



My assumption is that an outdated HECVAT is no better than an outdated SOC2, Type 2.



Does everyone agree?



Thank you.



Vince Bonura

IT Risk Analyst



Fordham University

(718) 817-1875



From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Viegas, George 
<viegas () CHAPMAN EDU>
Date: Monday, September 13, 2021 at 4:38 PM
To: SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] HECVAT help

Hi Brian,



I’m looking for resources to help understand how to read the HECVAT, specifically how to know what is a fully completed 
submission v/s an incomplete. The EDUCAUSE HECVAT webpage did not have resources to help me read and use a HECVAT. 
Could you please help me find the right resource?



Thanks,



-George



George Viegas, CIPP-US, CISSP, CISA

Chief Information Security Officer/Privacy Champion

Chapman University, Orange CA

viegas () chapman edu/ 714-744-7979<mailto:viegas () chapman edu/%20714-744-7979>

Secure your Chapman Account today @ 2fa.chapman.edu !







**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__www.educause.edu_community%26d%3DDwMFAg%26c%3DaqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM%26r%3DNk8cCINtlhG31-Ffb7ODxRPQfUwqyHQCQ2enNUcj0Vc%26m%3DW_Azyw64JNH4aaeAC7Tmd2Ga8nHTEyfLtiAlQHgWYLI%26s%3D6WXhTghqS_VlwkAhMTD3CCgBCeaR4FSWo-KqScNBeOA%26e%3D&data=04%7C01%7Cchris%40CSCHREIBER.LLC%7C2628de80117e4fdb418208d976f857f4%7C18c077a173f64e91ac2977b69ff7c44a%7C0%7C0%7C637671631300490106%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=H00QTLBu5aJE%2FDqFp9y0OlalzX0loERI38MT1P2gAk4%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Cchris%40CSCHREIBER.LLC%7C2628de80117e4fdb418208d976f857f4%7C18c077a173f64e91ac2977b69ff7c44a%7C0%7C0%7C637671631300500065%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=aLwXakYgqM7QnjyRQIttd9iy9sSVIoXDzET30zo7fo0%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community