Re: HECVAT Users List

[Theresa Rowe <rowe () OAKLAND EDU>]

Our Purchasing department does not allow any removal of any vendor
submitted materials during the process.
The language inserted into every RFP states:
      * All supporting documentation and manuals submitted with this
proposal will become the property of the University.  *

Once it is our property, the material goes with our documents retention
policy.  By policy, materials in a bid response are retained by Purchasing
for 7 years.


  Our attorney assigned to FOIA does not allow anything submitted as a bid
to be marked as confidential.

The actual language inserted into every RFP without exception is:

*The Vendor understands that the University complies with the Michigan
Freedom of Information Act (“FOIA”) and that the University may provide
Confidential Information to other persons or entities upon receipt of a
FOIA request.*
__

So labeling anything as confidential doesn't get us any exemption.  This
has certainly affected how I handle security materials in bid processes.

Just sharing with you all; you may want to double-check your processes, so
that is the only reason I'm sharing.  File it into the "things I would ask
about if I were interviewing for a job...".

Theresa

Theresa Rowe
Chief Information Officer
Oakland University


On Thu, Mar 1, 2018 at 8:27 AM, Penn, Blake C <
blake.penn () security gatech edu> wrote:

> You could always review the spreadsheet upon receipt and convert the
> responses to some numerical rating or the like and then destroy the
> original in cases like this.  That way only the scores could be FOIAed.
>
>
>
> Regards,
>
>
>
> Blake Penn
>
> Information Security Policy and Compliance Manager
>
> Cyber Security
>
> Georgia Institute of Technology
>
> (404) 385-5480
>
>
>
> *From:* The EDUCAUSE Security Constituent Group Listserv [mailto:
> SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Theresa Rowe
> *Sent:* Wednesday, February 28, 2018 13:06
>
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* Re: [SECURITY] HECVAT Users List
>
>
>
> We've hit a stumbling block on asking vendors to issue a security
> statement or spreadsheet like this as we received an interpretation that as
> a public university, any vendor response received in the bid process could
> be requested under FOIA and the open public bids process. If they said they
> wouldn't allow sharing, we couldn't guarantee that the response would not
> be shared. We started telling vendors this, and they quit agreeing to
> submit anything.  We try to get at this review later and not part of the
> procurement process.
>
>
>
> Theresa
>
>
> Theresa Rowe
>
> Chief Information Officer
> Oakland University
>
>
>
>
> On Thu, Feb 22, 2018 at 11:23 AM, Gregg, Christopher S. <
> csgregg () stthomas edu> wrote:
>
> We use our own set of standard questions currently but I am trying to move
> us to using the HECVAT.  For those who started to use the HECVAT, I am
> wondering if you have developed criteria for when to use it and when to use
> something even lighter than the lite version?  For example, are you tying
> the use of the tool to specific cost ranges or data security
> classifications used by the solution in question?
>
>
>
> I ask because my team (contracts, acquisition and budget fall in my area
> as well) is concerned that even the lite version will be onerous to apply
> to all cloud acquisitions.
>
>
>
> Thanks,
>
>
>
> Chris
>
>
>
>
>
> *Chris Gregg*
> Associate Vice President of Information Security & Risk Management, CISO
> Information Technology Services (ITS)
> csgregg () stthomas edu
> p 1 (651) 962-6265
> *University of St. Thomas* | stthomas.edu <https://www.stthomas.edu>
>
>
>
>
>
>
>
> *From:* The EDUCAUSE Security Constituent Group Listserv [mailto:
> SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Brian T. Huntley
> *Sent:* Thursday, February 22, 2018 5:41 AM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* Re: [SECURITY] HECVAT Users List
>
>
>
> We started using the HECVAT late in 2017 as well.
>
>
>
> We've incorporated it into the purchasing process, so a PO cannot be
> issued until we're satisfied with the responses.  This gets us in at the
> ground floor for new contracts and enables us to insert ourselves in
> renewals of existing contracts.
>
>
>
> So far, we've had occasion for three vendors to do it.  Based on the type
> of data we were sharing with them, the Lite version seemed most
> appropriate.  One vendor already had one done, the other two had never
> heard of it and took a couple of weeks to complete it but didn't really
> complain about the process.
>
>
>
> None of them were willing to have their completed HECVAT's nor their
> willingness to provide a completed HECVAT shared.
>
>
>
> Brian
>
>
>
>
>
>
> Brian T. Huntley, CISSP
>
> Director of Network Services and Information Security
>
> Office of Information Technology
>
> Clarkson University
>
> 315.268.6723
>
>
>
> On Wed, Feb 21, 2018 at 8:46 PM, Ken Connelly <ken.connelly () uni edu>
> wrote:
>
> In general, are you (collective you, not just Mark) using the full-blown
> HECVAT or the HECVAT Lite?
>
> - ken
>
> On 2/21/18 4:29 PM, Mark Dieterich wrote:
> > We've been telling vendors that EDU customers are adopting this, but
> > haven't had a sense of how widespread the adoption has been. I got the
> > green light have Brown listed, so we will be adding our name to the list.
> >
> > When this first came about, there was discussion on developing a
> > sharing platform where completed HECVATS or the fact that a vendor has
> > filled out a HECVAT, depending on their wishes, could be listed. Are
> > there any developments with this? I think we actually have one vendor
> > who indicated we could share and a few that gave us permission to list
> > them, it would be great if we could actually do something with these.
> >
> > Thanks,
> >
> > Mark
> >
> > On Wed, Feb 21, 2018 at 1:20 PM, Allen, Jon <Jon_Allen () baylor edu
> > <mailto:Jon_Allen () baylor edu>> wrote:
> >
> >     Hello!
> >
> >
> >
> >     The 2019 Higher Education Cloud Vendor Assessment Tool (HECVAT)
> >     working group is devoting effort to getting the word out about
> >     institutional HECVAT adoption.  We want to create a list of
> >     institutions that are using the HECVAT to publish on the HECVAT
> >     web page
> >     (https://library.educause.edu/resources/2016/10/higher-
> education-cloud-vendor-assessment-tool
> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flibrary.educause.edu%2Fresources%2F2016%2F10%2Fhigher-education-cloud-vendor-assessment-tool&data=02%7C01%7Ccsgregg%40STTHOMAS.EDU%7Cb2776680113247fa9be908d579e93bb6%7Ca081ff79318c45ec95f338ebc2801472%7C1%7C0%7C636548965020060290&sdata=Pli%2F5nnEvAR0%2Bltu5pIHBVqzJypA0jXs1wFDd7cDMVc%3D&reserved=0>
> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.
> google.com%2Furl%3Fq%3Dhttps%3A%2F%2Flibrary.educause.edu%
> 2Fresources%2F2016%2F10%2Fhigher-education-cloud-
> vendor-assessment-tool%26sa%3DD%26ust%3D1519160086542000%26usg%
> 3DAFQjCNHtq6sVc7M6Yijyrp-FyIIhP7-g3A&data=01%7C01%
> 7Cjon_allen%40baylor.edu%7C2f31c9f2ae8048feb12908d5789c6998%
> 7C22d2fb35256a459bbcf4dc23d42dc0a4%7C1&sdata=xWyOTuLEnGCCgx273bRaeoOn%
> 2FF5jzLxFimJ28wRO8BQ%3D&reserved=0>).
> >     The purpose of this list is two-fold: First, to demonstrate HECVAT
> >     adoption at higher education institutions (so that vendors will
> >     want to participate in completing a HECVAT). Second, to provide a
> >     list of HECVAT references (so that institutions can contact their
> >     peers with HECVAT questions). If you are interested in being
> >     listed on the webpage in this manner, please fill out this form.
> >     Institutional names only (not contact information) will be listed
> >     on the webpage.
> >
> >
> >
> >     If you would like your institution to be listed in this way,
> >     please complete our form:
> >
> >
> >
> >     https://goo.gl/forms/BJlson23HVDMy1Q63
> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgoo.gl%2Fforms%2FBJlson23HVDMy1Q63&data=02%7C01%7Ccsgregg%40STTHOMAS.EDU%7Cb2776680113247fa9be908d579e93bb6%7Ca081ff79318c45ec95f338ebc2801472%7C1%7C0%7C636548965020060290&sdata=Qt844LaBdFpqdxp%2FPBwXv%2FC%2B%2BfF62hoy83vRAkse1Us%3D&reserved=0>
> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%
> 2Fgoo.gl%2Fforms%2FBJlson23HVDMy1Q63&data=01%
> 7C01%7Cjon_allen%40baylor.edu%7C2f31c9f2ae8048feb12908d5789c6998%
> 7C22d2fb35256a459bbcf4dc23d42dc0a4%7C1&sdata=BjbsQBbg%
> 2FPZVtOhlWIHMTXXOSHq1TTzBXwqVNMfqoQk%3D&reserved=0>
> >     Thanks,* *
> >
> >     * *
> >
> >     *_________________________________*
> >
> >     *Jon Allen, CISSP, EnCE *
> >
> >     *Assistant Vice President & *
> >
> >     *Chief Information Security Officer*
> >
> >     *Baylor University *
> >
> >     *254.710.4793 <tel:%28254%29%20710-4793 <%28254%29%20710-4793>>*
> >
> >     * *
> >
> >     /Users/jon_allen/Library/Containers/com.microsoft.
> Outlook/Data/Library/Caches/Signatures/signature_1325000890
> >     /        //www.baylor.edu/bearaware/
> <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.baylor.edu%2Fbearaware%2F&data=02%7C01%7Ccsgregg%40STTHOMAS.EDU%7Cb2776680113247fa9be908d579e93bb6%7Ca081ff79318c45ec95f338ebc2801472%7C1%7C0%7C636548965020060290&sdata=m5L%2FL28%2FjwP5DM22FXQ6eq5BaOfRRVVKeWVLdXCApac%3D&reserved=0>
> <http://www.baylor.edu/bearaware
> <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.baylor.edu%2Fbearaware&data=02%7C01%7Ccsgregg%40STTHOMAS.EDU%7Cb2776680113247fa9be908d579e93bb6%7Ca081ff79318c45ec95f338ebc2801472%7C1%7C0%7C636548965020060290&sdata=8PuA1fMxqTjBCQWjlxPugxkTzC4vD99Tn0FAPpXND2w%3D&reserved=0>
> >
>
> --
> - Ken
> =================================================================
> Ken Connelly                       Director, Information Security
> Information Security Officer          University of Northern Iowa
> email: Ken.Connelly () uni edu   p: (319) 273-5850 f: (319) 273-7373
>
> Any request to divulge your UNI password via e-mail is fraudulent!