Re: HECVAT help

[Christian Schreiber <chris () CSCHREIBER LLC>]

Hi Vince - if the bridge letter is accompanied by a promise they're working to finish the new assessment, I'd feel 
pretty comfortable with that response. Having worked on both the campus and vendor sides of vendor assessments, I know 
how the SOC2 audit process can easily slip so there's an apparent gap between Type 2 report coverage dates. I'd 
actually view the delay and bridge letter as a positive since it usually means they're digging into some deficiencies 
and fixing them as part of the overall audit process.

Evasive answers are always a red flag to me. If you're getting your answers from the sales org, try to get someone from 
the security team to meet with you instead. They're usually more transparent and don't have a sales commission on the 
line.
- Chris


---
Christian Schreiber, CISM, PMP

Office: 520.497.3614
Email: chris () cschreiber llc
Web: www.cschreiber.llc

C Schreiber LLC
Simplify your university cybersecurity strategy

Sent from a mobile device. Please excuse any typos.
________________________________
From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Vince Bonura 
<vbonura () FORDHAM EDU>
Sent: Monday, September 13, 2021 4:26:42 PM
To: SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] HECVAT help

Chris,

I greatly appreciate the quick response!

I asked a different vendor, who also sent an outdated SOC2, to send an updated version. I was instead provided a 
"Bridge Letter" from their CISO, attesting that the controls tested and verified the year prior were still in place. 
This was to appease me until they could provide a current report next month. The problem is that our Wellness Group 
wanted to finalize this contract two weeks ago! I just told them that I could not approve the vendor's risk controls as 
reported. While I was hoping to avoid this step, I sent the Wellness Group an IRQ and a DDQ to the vendor.

However, the vendor I referred to in my original post has given evasive answers to pointed questions AND has provided 
two outdated reports. This is a vendor that one of our colleges wanted to be signed two weeks ago too.

P.S. - Contract reviews and our internal process flow are new to me. So, I am going through a crash course in vendor 
report reviews.

Vince Bonura
IT Risk Analyst

Fordham University
(718) 817-1875


On Mon, Sep 13, 2021 at 5:12 PM Christian Schreiber <chris () cschreiber llc> wrote:
Vince - I would always push for a SOC 2 / Type 2 first. If they have mature processes they should be able to readily 
produce their current version. The HECVAT is a good option if they don't have a report from their auditor, but I'd also 
view the lack of a SOC report as a red flag about the maturity of their internal controls and security program.

Keep in mind the SOC 2 / Type 2 is attesting to the efficacy of their controls over a 12 month period, so it's not 
unusual to see one that was produced around a year earlier. I'd ask the vendor point blank when they'll have their 
updated report available. It could mean they're remediation something before finalizing the report, or they may have 
decided to let the whole process lapse. You're within your right as a customer to find out so you can make an informed 
decision about the risk of working with them.

Similarly, if the HECVAT is a year old I'd push for updated verification from them that their answers are still 
relevant.

Hope that helps.
- Chris


---
Christian Schreiber, CISM, PMP

Office: 520.497.3614
Email: chris () cschreiber llc
Web: www.cschreiber.llc

C Schreiber LLC
Simplify your university cybersecurity strategy

Sent from a mobile device. Please excuse any typos.
________________________________
From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> on behalf of Vince Bonura <vbonura () FORDHAM EDU<mailto:vbonura () FORDHAM EDU>>
Sent: Monday, September 13, 2021 3:51:59 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> <SECURITY () LISTSERV EDUCAUSE 
EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
Subject: Re: [SECURITY] HECVAT help


George,



Your post is timely! I just attended a HECVAT Working Group meeting and wanted to ask a related question.



I joined the workgroup with hopes of gaining an understanding of the HECVAT and how it should be used. While I know the 
basic concept, I am just now reading my first vendor completed HECVAT that I received last Thursday.



The question I wanted to ask is: What’s the comparison between a SOC2, Type 2 and the HECVAT?



I originally requested a SOC2, Type 2 report from the vendor and received one dated 6/30/20. When I asked for a current 
copy, I was told that they completed a HECVAT and would supply that. The HECVAT I received from the vendor is dated 
6/22/20.



My assumption is that an outdated HECVAT is no better than an outdated SOC2, Type 2.



Does everyone agree?



Thank you.



Vince Bonura

IT Risk Analyst



Fordham University

(718) 817-1875



From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> on behalf of Viegas, George <viegas () CHAPMAN EDU<mailto:viegas () CHAPMAN EDU>>
Date: Monday, September 13, 2021 at 4:38 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> <SECURITY () LISTSERV EDUCAUSE 
EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
Subject: [SECURITY] HECVAT help

Hi Brian,



I’m looking for resources to help understand how to read the HECVAT, specifically how to know what is a fully completed 
submission v/s an incomplete. The EDUCAUSE HECVAT webpage did not have resources to help me read and use a HECVAT. 
Could you please help me find the right resource?



Thanks,



-George



George Viegas, CIPP-US, CISSP, CISA

Chief Information Security Officer/Privacy Champion

Chapman University, Orange CA

viegas () chapman edu/ 714-744-7979<mailto:viegas () chapman edu/%20714-744-7979>

Secure your Chapman Account today @ 
2fa.chapman.edu<https://nam11.safelinks.protection.outlook.com/?url=http%3A%2F%2F2fa.chapman.edu%2F&data=04%7C01%7Cchris%40CSCHREIBER.LLC%7Cd1f2b3bd0562451f194b08d976fd467f%7C18c077a173f64e91ac2977b69ff7c44a%7C0%7C0%7C637671652452166340%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=aEBdJPtFIzGSuXkJ9NZ66gYMcrbq58vst8pgPxriGxA%3D&reserved=0>
 !







**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__nam11.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Furldefense.proofpoint.com-252Fv2-252Furl-253Fu-253Dhttps-2D3A-5F-5Fwww.educause.edu-5Fcommunity-2526d-253DDwMFAg-2526c-253DaqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM-2526r-253DNk8cCINtlhG31-2DFfb7ODxRPQfUwqyHQCQ2enNUcj0Vc-2526m-253DW-5FAzyw64JNH4aaeAC7Tmd2Ga8nHTEyfLtiAlQHgWYLI-2526s-253D6WXhTghqS-5FVlwkAhMTD3CCgBCeaR4FSWo-2DKqScNBeOA-2526e-253D-26data-3D04-257C01-257Cchris-2540CSCHREIBER.LLC-257C2628de80117e4fdb418208d976f857f4-257C18c077a173f64e91ac2977b69ff7c44a-257C0-257C0-257C637671631300490106-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C1000-26sdata-3DH00QTLBu5aJE-252FDqFp9y0OlalzX0loERI38MT1P2gAk4-253D-26reserved-3D0%26d%3DDwMF-g%26c%3DaqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM%26r%3DNk8cCINtlhG31-Ffb7ODxRPQfUwqyHQCQ2enNUcj0Vc%26m%3Dv_ejzAaiGZw_jg4GJ60VR-fXd9JRHiEkgkQsdIthz8U%26s%3D4Wht3xP2nfo6c4gaD52vI3b69GKVu32NEiPclQaM-YI%26e%3D&data=04%7C01%7Cchris%40CSCHREIBER.LLC%7Cd1f2b3bd0562451f194b08d976fd467f%7C18c077a173f64e91ac2977b69ff7c44a%7C0%7C0%7C637671652452176306%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=U2Xw9lWfx3l0jwZQYcnYdERGIVz8b2Bmva6oM4qXXF0%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__nam11.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fwww.educause.edu-252Fcommunity-26data-3D04-257C01-257Cchris-2540CSCHREIBER.LLC-257C2628de80117e4fdb418208d976f857f4-257C18c077a173f64e91ac2977b69ff7c44a-257C0-257C0-257C637671631300500065-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C1000-26sdata-3DaLwXakYgqM7QnjyRQIttd9iy9sSVIoXDzET30zo7fo0-253D-26reserved-3D0%26d%3DDwMF-g%26c%3DaqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM%26r%3DNk8cCINtlhG31-Ffb7ODxRPQfUwqyHQCQ2enNUcj0Vc%26m%3Dv_ejzAaiGZw_jg4GJ60VR-fXd9JRHiEkgkQsdIthz8U%26s%3DzVE298tdhkbs3MIGR1VjlAS3eExKdWu7TVgnLbDqSy4%26e%3D&data=04%7C01%7Cchris%40CSCHREIBER.LLC%7Cd1f2b3bd0562451f194b08d976fd467f%7C18c077a173f64e91ac2977b69ff7c44a%7C0%7C0%7C637671652452176306%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=8E5XFiSnYdezFrl6x1MKgjncAOAPwEqCCiY0uLrMGo4%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__www.educause.edu_community%26d%3DDwMF-g%26c%3DaqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM%26r%3DNk8cCINtlhG31-Ffb7ODxRPQfUwqyHQCQ2enNUcj0Vc%26m%3Dv_ejzAaiGZw_jg4GJ60VR-fXd9JRHiEkgkQsdIthz8U%26s%3D08lmbbTksPGhQ4TCK5XJDjBjK-5ltDbO6pcUuo5i_44%26e%3D&data=04%7C01%7Cchris%40CSCHREIBER.LLC%7Cd1f2b3bd0562451f194b08d976fd467f%7C18c077a173f64e91ac2977b69ff7c44a%7C0%7C0%7C637671652452186255%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=rJW1sQzNChVBGLH%2BrKLu9GjqnTTbt6SXhp1z7%2FkdYvQ%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Cchris%40CSCHREIBER.LLC%7Cd1f2b3bd0562451f194b08d976fd467f%7C18c077a173f64e91ac2977b69ff7c44a%7C0%7C0%7C637671652452186255%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=NZ0mWk00HJUPa7TacXXUs8Tv5sU2X9CYmmSuNNVHYlQ%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community