Re: HECVAT Users List

["Brown,Thomas" <thomasbrown () UFL EDU>]

In addition to maintaining vendor attestation to security controls for their products is there effort being made to 
maintain evidence of third-party certification to the stated security posture?  Perhaps include this within the shared 
infrastructure to help qualify the vendor statements?

Anyone making progress in only using cloud vendors that have been assessed by a trusted third-party?

Maintaining an infrastructure of the HECVAT assessments is helpful to establish a level of accountability but lacks in 
verifying the security effectiveness if a trusted third-party is not involved to validate the claim.

Best,

Thomas Brown, CISSP, CISM, CRISC, CISA
Senior Information Security Analyst
UF Information Technology
Information Security Office<https://security.ufl.edu/>

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Joanna 
Grama
Sent: Wednesday, February 21, 2018 5:44 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] HECVAT Users List

Hi Mark,
We hope to post a blog soon that discusses where we are on the sharing infrastructure.  That has not progressed in the 
way the working group originally envisioned, but we are still making progress on a workable solution for higher ed.  At 
the moment sharing is happening through the REN ISAC Cloud Broker Index (or CBI) 
(https://www.ren-isac.net/hecvat/cbi.html<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ren-2Disac.net_hecvat_cbi.html&d=DwMGaQ&c=pZJPUDQ3SB9JplYbifm4nt2lEVG5pWx2KikqINpWlZM&r=3EEgbQDKcaQkORwzvpp2ahCIXgtj7RA-2eQNnIZ1f9s&m=wdJf4WTNoqL74ytV3GtokGSCHTOMlhnWXyJbOls5v08&s=_P8sNWPSBfUPMmXNhbjmJkpQWGtH7wPda9MgalHpg-s&e=>).
 The CBI provides an up-to-date index of participating vendors with links to their completed assessments.  If a vendor 
is already listed in the CBI, security assessors at colleges and universities can utilize the posted assessment, saving 
time for both security assessors and service providers.  Vendors participate in the CBI on a voluntary basis, and there 
are four modes of participation contemplated.

We tried to sketch out what the sharing infrastructure looks like with the CBI (at its end state) in this poster: 
https://library.educause.edu/~/media/files/library/2017/10/hecvatposter.pdf<https://urldefense.proofpoint.com/v2/url?u=https-3A__library.educause.edu_-7E_media_files_library_2017_10_hecvatposter.pdf&d=DwMGaQ&c=pZJPUDQ3SB9JplYbifm4nt2lEVG5pWx2KikqINpWlZM&r=3EEgbQDKcaQkORwzvpp2ahCIXgtj7RA-2eQNnIZ1f9s&m=wdJf4WTNoqL74ytV3GtokGSCHTOMlhnWXyJbOls5v08&s=q8qRxeVkCg925ApTYtEnSxRbG_1MUFLxnB19dG7yLFY&e=>

If you know of a vendor that is interested in sharing, please do direct them to the CBI website for more information.

Kind regards,
Joanna


Joanna Grama, JD, CISSP, CRISC, CIPT
Director of Cybersecurity and IT GRC Programs

EDUCAUSE
Uncommon Thinking for the Common Good
282 Century Place, Suite 5000, Louisville, CO 80027
direct: 720.406.6769 | jgrama () educause edu<mailto:jgrama () educause edu>

Become a Member- Everyone at your organization is an EDUCAUSE member when you join | Access discounts, resources, and 
valuable peer networks | Discover 
membership<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.educause.edu_about_discover-2Dmembership&d=DwMGaQ&c=pZJPUDQ3SB9JplYbifm4nt2lEVG5pWx2KikqINpWlZM&r=3EEgbQDKcaQkORwzvpp2ahCIXgtj7RA-2eQNnIZ1f9s&m=wdJf4WTNoqL74ytV3GtokGSCHTOMlhnWXyJbOls5v08&s=nJDZ-zhq8THYC1vfffAGZxBYv6yizVdkIjvhJwgBat4&e=>



From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mark 
Dieterich
Sent: Wednesday, February 21, 2018 5:29 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] HECVAT Users List

We've been telling vendors that EDU customers are adopting this, but haven't had a sense of how widespread the adoption 
has been. I got the green light have Brown listed, so we will be adding our name to the list.

When this first came about, there was discussion on developing a sharing platform where completed HECVATS or the fact 
that a vendor has filled out a HECVAT, depending on their wishes, could be listed. Are there any developments with 
this? I think we actually have one vendor who indicated we could share and a few that gave us permission to list them, 
it would be great if we could actually do something with these.

Thanks,

Mark

On Wed, Feb 21, 2018 at 1:20 PM, Allen, Jon <Jon_Allen () baylor edu<mailto:Jon_Allen () baylor edu>> wrote:
Hello!

The 2019 Higher Education Cloud Vendor Assessment Tool (HECVAT) working group is devoting effort to getting the word 
out about institutional HECVAT adoption.  We want to create a list of institutions that are using the HECVAT to publish 
on the HECVAT web page 
(https://library.educause.edu/resources/2016/10/higher-education-cloud-vendor-assessment-tool<https://urldefense.proofpoint.com/v2/url?u=https-3A__na01.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fwww.google.com-252Furl-253Fq-253Dhttps-253A-252F-252Flibrary.educause.edu-252Fresources-252F2016-252F10-252Fhigher-2Deducation-2Dcloud-2Dvendor-2Dassessment-2Dtool-2526sa-253DD-2526ust-253D1519160086542000-2526usg-253DAFQjCNHtq6sVc7M6Yijyrp-2DFyIIhP7-2Dg3A-26data-3D01-257C01-257Cjon-5Fallen-2540baylor.edu-257C2f31c9f2ae8048feb12908d5789c6998-257C22d2fb35256a459bbcf4dc23d42dc0a4-257C1-26sdata-3DxWyOTuLEnGCCgx273bRaeoOn-252FF5jzLxFimJ28wRO8BQ-253D-26reserved-3D0&d=DwMGaQ&c=pZJPUDQ3SB9JplYbifm4nt2lEVG5pWx2KikqINpWlZM&r=3EEgbQDKcaQkORwzvpp2ahCIXgtj7RA-2eQNnIZ1f9s&m=wdJf4WTNoqL74ytV3GtokGSCHTOMlhnWXyJbOls5v08&s=J3pWi8t_UjTqJO8d9V30JrmuKo5-wJo9MuznA-IuNss&e=>).
 The purpose of this list is two-fold: First, to demonstrate HECVAT adoption at higher education institutions (so that 
vendors will want to participate in completing a HECVAT). Second, to provide a list of HECVAT references (so that 
institutions can contact their peers with HECVAT questions). If you are interested in being listed on the webpage in 
this manner, please fill out this form. Institutional names only (not contact information) will be listed on the 
webpage.

If you would like your institution to be listed in this way, please complete our form:

https://goo.gl/forms/BJlson23HVDMy1Q63<https://urldefense.proofpoint.com/v2/url?u=https-3A__na01.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fgoo.gl-252Fforms-252FBJlson23HVDMy1Q63-26data-3D01-257C01-257Cjon-5Fallen-2540baylor.edu-257C2f31c9f2ae8048feb12908d5789c6998-257C22d2fb35256a459bbcf4dc23d42dc0a4-257C1-26sdata-3DBjbsQBbg-252FPZVtOhlWIHMTXXOSHq1TTzBXwqVNMfqoQk-253D-26reserved-3D0&d=DwMGaQ&c=pZJPUDQ3SB9JplYbifm4nt2lEVG5pWx2KikqINpWlZM&r=3EEgbQDKcaQkORwzvpp2ahCIXgtj7RA-2eQNnIZ1f9s&m=wdJf4WTNoqL74ytV3GtokGSCHTOMlhnWXyJbOls5v08&s=RdppvevS7apBVJGkTa9SFgV4KlkV1tGAnHa64VE2swo&e=>

Thanks,

_________________________________
Jon Allen, CISSP, EnCE
Assistant Vice President &
Chief Information Security Officer
Baylor University
254.710.4793<tel:(254)%20710-4793>

[/Users/jon_allen/Library/Containers/com.microsoft.Outlook/Data/Library/Caches/Signatures/signature_1325000890]
        
www.baylor.edu/bearaware<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.baylor.edu_bearaware&d=DwMGaQ&c=pZJPUDQ3SB9JplYbifm4nt2lEVG5pWx2KikqINpWlZM&r=3EEgbQDKcaQkORwzvpp2ahCIXgtj7RA-2eQNnIZ1f9s&m=wdJf4WTNoqL74ytV3GtokGSCHTOMlhnWXyJbOls5v08&s=DkNVnJgpT17nFYW78LHztvzhAgmmxt6ksDp_dfvxA08&e=>