Educause Security Discussion mailing list archives
Re: HECVAT Tool usage
From: "Escue, Charles E" <cescue () IU EDU>
Date: Wed, 31 May 2017 16:22:32 +0000
Hello John, I’ll speak for our usage at Indiana University. We have used the HECVAT in some form since its publication in October 2016. It has been our primary assessment tool for cloud services / institutional data sharing since January 2017. I’ve formatted my answers to match yours for clarity. · Yes, and yes. Requests for assessments come from both stages. · Yes. We use the HECVAT as the primary means of assessing a cloud vendor. If our evaluation of the HECVAT (or any other document) finds unacceptable risks (determined by our data stewards), approval for purchase may not granted. · Some vendors required an NDA before providing a populated HECVAT. If they decline to answer any question(s), it is their choice. If it hinders our assessment of a particular vendor/request, it is documented in our evaluation summary. I’m willing to speak offline if you’re interested. Charlie Charles Escue, GISP Lead Security Analyst University Information Security Office 2709 East 10th Street Bloomington, IN 47408 Office: (812) 856-3334 cescue () iu edu From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () listserv educause edu> on behalf of "John R. LaPrad" <jrl () SVSU EDU> Organization: Saginaw Valley State University Reply-To: "SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () listserv educause edu> Date: Wednesday, May 31, 2017 at 11:59 AM To: "SECURITY () listserv educause edu" <SECURITY () listserv educause edu> Subject: [SECURITY] HECVAT Tool usage We are talking about having cloud vendors fill out this assessment. I am wondering how are institutions using this document. · Are vendors requested to fill it out during the RFP stage or after selection? · Is it used to help make the purchase decision? If so, how is it quantified or scored so that responses can be compared across vendors? · What if vendors say that information is proprietary and don't answer many of the questions? Thank you for the input. John LaPrad - CISSP, CIHE Information Systems Security Manager Saginaw Valley State University 7400 Bay Rd. University Center, MI Phone: 989-964-7134 jrl () svsu edu
Attachment:
smime.p7s
Description:
Current thread:
- HECVAT Tool usage John R. LaPrad (May 31)
- Re: HECVAT Tool usage Brad Judy (May 31)
- Re: HECVAT Tool usage Rob Milman (May 31)
- Re: HECVAT Tool usage Ruth Ginzberg (May 31)
- Re: HECVAT Tool usage Robert Smith (May 31)
- Re: HECVAT Tool usage Escue, Charles E (May 31)
- Re: HECVAT Tool usage Flynn, Gary - flynngn (May 31)
- Re: HECVAT Tool usage Sue McGlashan (May 31)
- Re: HECVAT Tool usage Alex Jalso (May 31)
- Re: HECVAT Tool usage John R. LaPrad (Jun 12)