Educause Security Discussion mailing list archives
Re: HECVAT - Vendor Refusal
From: Henry Wojteczko <hank.wojteczko () CLASSEDESIGNUSA COM>
Date: Tue, 15 Jun 2021 13:44:38 +0000
Michael: Speaking as a vendor, I totally agree with Isaac. Yes, it was time consuming for my organization to complete the HECVAT. And yes, it was a team effort to complete it. But from my perspective, this is part of what a vendor should do to demonstrate that they are capable of delivering on what is promised. Thanks; Hank Wojteczko Practice Manager – Cloud Professional Services David Kent Consulting, Inc. 832.226.4432(m) hankwojteczko () davidkentconsulting com<mailto:hankwojteczko () davidkentconsulting com> www.davidkentconsulting.com<http://www.davidkentconsulting.com> Notice of Confidentiality: This E-mail message and attachments (if any) are intended solely for the use of the intended addressee(s) hereof. In addition, this message and the attachments may contain information that is confidential, privileged or otherwise exempt from disclosure under applicable law. If you are not one of the intended recipients of this message, you are prohibited from reading, disclosing, reproducing, distributing, disseminating, or otherwise using this transmission. Delivery of this E-mail to any person other than the intended recipient is not intended to waive any right or privilege. Unauthorized use of distribution is prohibited and may be unlawful. If you have received this E-mail in error, please notify the sender by reply E-mail and immediately delete this E-mail from your system and destroy any and all other copies. Thank you. From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Isaac Straley <isaac.straley () UTORONTO CA> Reply-To: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> Date: Tuesday, June 15, 2021 at 8:40 AM To: "SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] HECVAT - Vendor Refusal Obvious but just so it’s said: It is not up to the vendor what kind of assurance your program needs. It is entirely their choice if they want to do what you ask for or not. Depending on the risk and our internal capacity to analyze, I’ve accepted other formats of assurance. But I take a hard look at suppliers who resist providing information, especially in a reusable vehicle like this. The answer to “why won’t they do this” is an important factor. The HECVAT isn’t perfect but we’ve collectively really done a lot of good work to reduce the overhead on suppliers and it’s a good faith effort to ask for it, in my opinion. Isaac -- Isaac Straley Chief Information Security Officer University of Toronto From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of "Menne, Michael S" <000002306ce3cd04-dmarc-request () LISTSERV EDUCAUSE EDU> Reply-To: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> Date: Tuesday, June 15, 2021 at 6:28 AM To: "SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] HECVAT - Vendor Refusal EXTERNAL EMAIL: For those that have used the HECVAT and HECVATlite, what has your response been to a vendor who refuses to fill out the full HECVAT and claims that HECVAT is only required for “sensitive data” (SSN, CC#, etc.)? We have used the HECVAT lite only for situations where the data is completely public. In all other situations, we’ve used the HECVAT. Most vendors take a few attempts to get the answers we are looking for, but I’ve only had one other that has said they won’t fill it out at all. Thank you, Michael Menne, CISSP Chief Information Security Officer IT Solutions Information Security Minnesota State University, Mankato https://mankato.mnsu.edu/cyberaware<https://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmankato.mnsu.edu%2Fcyberaware&data=04%7C01%7Cisaac.straley%40UTORONTO.CA%7Ca3b385d6072646fbf13a08d930017bf4%7C78aac2262f034b4d9037b46d56c55210%7C0%7C0%7C637593605199097413%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=M23K5iC%2F8b%2Fa7%2Fc8oS3rN06KFdJyZgIyZNtV%2F%2FXrLsQ%3D&reserved=0> [signature_1581601845] Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Cisaac.straley%40UTORONTO.CA%7Ca3b385d6072646fbf13a08d930017bf4%7C78aac2262f034b4d9037b46d56c55210%7C0%7C0%7C637593605199097413%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=VKyKLBOi0ipAmHaYWsK2lXDrnKrtqwxYDVZLf8XOgCg%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- Re: HECVAT - Vendor Refusal, (continued)
- Re: HECVAT - Vendor Refusal King, Ronald A. (Jun 16)
- Re: [External]:Re: [SECURITY] HECVAT - Vendor Refusal Ferland, William (Jun 16)
- Re: [External]:Re: [SECURITY] HECVAT - Vendor Refusal Michelle Hobbins (Jun 16)
- Re: [External]:Re: [SECURITY] HECVAT - Vendor Refusal Bill Newman (Jun 16)
- Re: [External]:Re: [SECURITY] HECVAT - Vendor Refusal Kimmitt, Jonathan (Jun 16)
- Re: [External]:Re: [SECURITY] HECVAT - Vendor Refusal Kimmitt, Jonathan (Jun 16)
- Re: [External]:Re: [SECURITY] HECVAT - Vendor Refusal Kimmitt, Jonathan (Jun 16)
- Re: HECVAT - Vendor Refusal Snider, Jodie (Jun 16)
- Re: HECVAT - Vendor Refusal Leslie Gonzalez (Jun 16)
- Re: HECVAT - Vendor Refusal Kimmitt, Jonathan (Jun 16)
- Re: HECVAT - Vendor Refusal Ruth Ginzberg (Jun 16)