Re: HECVAT - Vendor Refusal

["Powell, Andy" <ap16 () WILLIAMS EDU>]

In some cases, we (OIT) may not have the authority to deny another business
unit the access to the software solution of choice, although it would be
nice.

When that occurs and the vendor is HECVAT-resistant, I opt for a meeting to
ask them things like, "how will users log into your platform? How do you
support MFA and SSO?" and "How can we extract logs from the environment to
ingest into ours?"

These questions may highlight the integrations that the vendor needs but
doesn't always spell out very well, and poorly answering them may give you
a risk-based rationale for "continuing to search for a more compatible
vendor" as opposed to outright denying this particular one.

Just my 2 pennies.

Andrew F. Powell Jr., CISSP, CCSP
Information Security Director
Williams College
22 Lab Campus Drive, Williamstown, MA, 01267
O - (413) 597 - 4340
C - (978) 502 - 0086
(he/him/his)


On Tue, Jun 15, 2021 at 10:09 AM Menne, Michael S <
000002306ce3cd04-dmarc-request () listserv educause edu> wrote:

> Johnathon,
>
> They disagree with the intent of the HECVAT vs lite.  They consider the
> HECVAT to be only for he most restricted data (HIPAA, PCI, SSN, etc). They
> consider the HEVAT lite to be good enough for “sensitive” data.  This is a
> vendor that a department on campus want to move an existing on-premise
> solution to a cloud version.  I like the scoring feature of the HECVAT.  I
> haven’t used the HECVAT lite a lot so far. The HECVAT has a good set of
> questions that allow me to get assurances of how a vendor handles their
> data security.
>
>
>
>
>
>
>
>
>
> *From:* The EDUCAUSE Security Community Group Listserv <
> SECURITY () LISTSERV EDUCAUSE EDU> *On Behalf Of *Kimmitt, Jonathan
> *Sent:* Tuesday, June 15, 2021 8:45 AM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* Re: [SECURITY] HECVAT - Vendor Refusal
>
>
>
> Did they give you a reason why they won’t fill it out?
>
>
>
> I’ve had several that have refused… some we move to the next vendor, some
> we have signed NDA’s to get the information…..
>
>
>
> -Jonathan
>
>
>
>
>
>
>
> *From:* The EDUCAUSE Security Community Group Listserv <
> SECURITY () LISTSERV EDUCAUSE EDU> *On Behalf Of *Ruth Ginzberg
> *Sent:* Tuesday, June 15, 2021 8:43 AM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* Re: [SECURITY] HECVAT - Vendor Refusal
>
>
>
> Agree with Isaac … AND (perhaps because of the success of the HECVAT to
> date…) one of the things I’m finding I need to ask for is a RECENT version
> of the HECVAT … been getting some moldy oldies from some vendors that
> really need to be updated to the current version…
>
>
>
> *Ruth Ginzberg*
> 608-890-3961
>
>
>
> *From:* The EDUCAUSE Security Community Group Listserv <
> SECURITY () LISTSERV EDUCAUSE EDU> *On Behalf Of *Isaac Straley
> *Sent:* Tuesday, June 15, 2021 8:40 AM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* Re: [SECURITY] HECVAT - Vendor Refusal
>
>
>
> *External Email: Use caution responding, opening attachments, or clicking
> on links.*
>
> Obvious but just so it’s said: It is not up to the vendor what kind of
> assurance your program needs. It is entirely their choice if they want to
> do what you ask for or not.
>
>
>
> Depending on the risk and our internal capacity to analyze, I’ve accepted
> other formats of assurance. But I take a hard look at suppliers who resist
> providing information, especially in a reusable vehicle like this. The
> answer to “why won’t they do this” is an important factor.
>
>
>
> The HECVAT isn’t perfect but we’ve collectively really done a lot of good
> work to reduce the overhead on suppliers and it’s a good faith effort to
> ask for it, in my opinion.
>
>
>
> Isaac
>
>
>
>
>
> --
>
>
>
> Isaac Straley
>
> Chief Information Security Officer
>
> University of Toronto
>
>
>
>
>
>
>
> *From: *The EDUCAUSE Security Community Group Listserv <
> SECURITY () LISTSERV EDUCAUSE EDU> on behalf of "Menne, Michael S" <
> 000002306ce3cd04-dmarc-request () LISTSERV EDUCAUSE EDU>
> *Reply-To: *The EDUCAUSE Security Community Group Listserv <
> SECURITY () LISTSERV EDUCAUSE EDU>
> *Date: *Tuesday, June 15, 2021 at 6:28 AM
> *To: *"SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU>
> *Subject: *[SECURITY] HECVAT - Vendor Refusal
>
>
>
> *EXTERNAL EMAIL:*
>
> For those that have used the HECVAT and HECVATlite, what has your response
> been to a vendor who refuses to fill out the full HECVAT and claims that
> HECVAT is only required for “sensitive data” (SSN, CC#, etc.)?
>
>
>
> We have used the HECVAT lite only for situations where the data is
> completely public.  In all other situations, we’ve used the HECVAT. Most
> vendors take a few attempts to get the answers we are looking for, but I’ve
> only had one other that has said they won’t fill it out at all.
>
>
>
> Thank you,
>
>
>
> *Michael Menne, CISSP*
>
> *Chief Information Security Officer*
>
> *IT Solutions Information Security*
>
> *Minnesota State University, Mankato*
>
> https://mankato.mnsu.edu/cyberaware
> <https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmankato.mnsu.edu%2Fcyberaware&data=04%7C01%7Cmichael.menne%40MNSU.EDU%7Cb398762d0d2a4dc401bb08d93003d5ff%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C0%7C637593615301592469%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=0oLQR7KJUvP2hcV%2BJa17TRRILydix8BN%2Bi7JAPqn0Dg%3D&reserved=0>
>
>
>
> [image: signature_1581601845]
>
>
>
> *Confidentiality Notice: This e-mail message, including any attachments,
> is for the sole use of the intended recipient(s) and may contain
> confidential and privileged information.  Any unauthorized review, use,
> disclosure or distribution is prohibited.  If you are not the intended
> recipient, please contact the sender by reply e-mail and destroy all copies
> of the original message.*
>
>
>
>
>
> **********
> Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email reply.
> Additional participation and subscription information can be found at
> https://www.educause.edu/community
> <https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Cmichael.menne%40MNSU.EDU%7Cb398762d0d2a4dc401bb08d93003d5ff%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C0%7C637593615301602431%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=lEjMPTg8VTXYafNnvV92jDz1xWXS8giuJfab3Jhlrc4%3D&reserved=0>
>
> **********
> Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email reply.
> Additional participation and subscription information can be found at
> https://www.educause.edu/community
> <https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Cmichael.menne%40MNSU.EDU%7Cb398762d0d2a4dc401bb08d93003d5ff%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C0%7C637593615301602431%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=lEjMPTg8VTXYafNnvV92jDz1xWXS8giuJfab3Jhlrc4%3D&reserved=0>
>
> **********
> Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email reply.
> Additional participation and subscription information can be found at
> https://www.educause.edu/community
> <https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Cmichael.menne%40MNSU.EDU%7Cb398762d0d2a4dc401bb08d93003d5ff%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C0%7C637593615301612383%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=J0q%2B2bR4eJt9jGnVm9SFKniHi3ZQHSE%2BjPofDf2Dec0%3D&reserved=0>
>
> **********
> Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email reply.
> Additional participation and subscription information can be found at
> https://www.educause.edu/community
> <https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Cmichael.menne%40MNSU.EDU%7Cb398762d0d2a4dc401bb08d93003d5ff%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C0%7C637593615301622339%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=OJZ0cqOfY%2BjqzDhXRswsfZvSNq1qvlPBZYgB8uL0bX4%3D&reserved=0>
>
> **********
> Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email reply.
> Additional participation and subscription information can be found at
> https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community