Educause Security Discussion mailing list archives

Re: HECVAT - Vendor Refusal

From: "Kimmitt, Jonathan" <jonathan-kimmitt () UTULSA EDU>
Date: Tue, 15 Jun 2021 13:45:24 +0000

Did they give you a reason why they won't fill it out?

I've had several that have refused... some we move to the next vendor, some we have signed NDA's to get the 
information.....

-Jonathan



From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Ruth Ginzberg
Sent: Tuesday, June 15, 2021 8:43 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] HECVAT - Vendor Refusal

Agree with Isaac ... AND (perhaps because of the success of the HECVAT to date...) one of the things I'm finding I need 
to ask for is a RECENT version of the HECVAT ... been getting some moldy oldies from some vendors that really need to 
be updated to the current version...

Ruth Ginzberg
608-890-3961

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Isaac Straley
Sent: Tuesday, June 15, 2021 8:40 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] HECVAT - Vendor Refusal


*External Email: Use caution responding, opening attachments, or clicking on links.*
Obvious but just so it's said: It is not up to the vendor what kind of assurance your program needs. It is entirely 
their choice if they want to do what you ask for or not.

Depending on the risk and our internal capacity to analyze, I've accepted other formats of assurance. But I take a hard 
look at suppliers who resist providing information, especially in a reusable vehicle like this. The answer to "why 
won't they do this" is an important factor.

The HECVAT isn't perfect but we've collectively really done a lot of good work to reduce the overhead on suppliers and 
it's a good faith effort to ask for it, in my opinion.

Isaac


--

Isaac Straley
Chief Information Security Officer
University of Toronto



From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> on behalf of "Menne, Michael S" <000002306ce3cd04-dmarc-request () LISTSERV EDUCAUSE 
EDU<mailto:000002306ce3cd04-dmarc-request () LISTSERV EDUCAUSE EDU>>
Reply-To: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>>
Date: Tuesday, June 15, 2021 at 6:28 AM
To: "SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>" <SECURITY () LISTSERV EDUCAUSE 
EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
Subject: [SECURITY] HECVAT - Vendor Refusal

EXTERNAL EMAIL:
For those that have used the HECVAT and HECVATlite, what has your response been to a vendor who refuses to fill out the 
full HECVAT and claims that HECVAT is only required for "sensitive data" (SSN, CC#, etc.)?

We have used the HECVAT lite only for situations where the data is completely public.  In all other situations, we've 
used the HECVAT. Most vendors take a few attempts to get the answers we are looking for, but I've only had one other 
that has said they won't fill it out at all.

Thank you,

Michael Menne, CISSP
Chief Information Security Officer
IT Solutions Information Security
Minnesota State University, Mankato
https://mankato.mnsu.edu/cyberaware<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmankato.mnsu.edu%2Fcyberaware&data=04%7C01%7Cjonathan-kimmitt%40UTULSA.EDU%7Ce563530c29014a0b8ab908d930038e42%7Cd4ff013c62b74167924f5bd93e8202d3%7C0%7C1%7C637593614105058805%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=8fMVsEyxMZkNZoq12ZqQ56AK1wudG1ARANxDFmUY1PI%3D&reserved=0>

[signature_1581601845]

Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended 
recipient(s) and may contain confidential and privileged information.  Any unauthorized review, use, disclosure or 
distribution is prohibited.  If you are not the intended recipient, please contact the sender by reply e-mail and 
destroy all copies of the original message.



**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Cjonathan-kimmitt%40UTULSA.EDU%7Ce563530c29014a0b8ab908d930038e42%7Cd4ff013c62b74167924f5bd93e8202d3%7C0%7C1%7C637593614105058805%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=CjbzCjFzw8Kt9kgI9uAgjT%2ByOuHO4J1W9QhWrIsW2Lk%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Cjonathan-kimmitt%40UTULSA.EDU%7Ce563530c29014a0b8ab908d930038e42%7Cd4ff013c62b74167924f5bd93e8202d3%7C0%7C1%7C637593614105068765%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=k5vRWNxIDeup91yJoKVDJK20iknKL7yBu9U23%2BveW48%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Cjonathan-kimmitt%40UTULSA.EDU%7Ce563530c29014a0b8ab908d930038e42%7Cd4ff013c62b74167924f5bd93e8202d3%7C0%7C1%7C637593614105068765%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=k5vRWNxIDeup91yJoKVDJK20iknKL7yBu9U23%2BveW48%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Current thread:

HECVAT - Vendor Refusal Menne, Michael S (Jun 15)
- Re: HECVAT - Vendor Refusal Ruth Ginzberg (Jun 15)
- <Possible follow-ups>
- Re: HECVAT - Vendor Refusal Isaac Straley (Jun 15)
  - Re: HECVAT - Vendor Refusal Ruth Ginzberg (Jun 15)
    - Re: HECVAT - Vendor Refusal Kimmitt, Jonathan (Jun 15)
    - Re: HECVAT - Vendor Refusal Menne, Michael S (Jun 15)
    - Re: HECVAT - Vendor Refusal Powell, Andy (Jun 15)
    - Re: HECVAT - Vendor Refusal McClenon, Brady (Jun 15)
    - Re: HECVAT - Vendor Refusal Kimmitt, Jonathan (Jun 15)
    - Re: HECVAT - Vendor Refusal Kimmitt, Jonathan (Jun 15)
    - Re: HECVAT - Vendor Refusal King, Ronald A. (Jun 15)
    - Re: HECVAT - Vendor Refusal Kevin Cleary (Jun 15)
    - Re: HECVAT - Vendor Refusal Feldman, Nell D (Jun 15)
    - Re: HECVAT - Vendor Refusal Joey Rego (Jun 16)
    - Re: HECVAT - Vendor Refusal Koors, Anne N. (Jun 16)

(Thread continues...)