Educause Security Discussion mailing list archives
Re: HECVAT help
From: Christian Schreiber <chris () CSCHREIBER LLC>
Date: Mon, 13 Sep 2021 21:35:44 +0000
Hi Vince - if the bridge letter is accompanied by a promise they're working to finish the new assessment, I'd feel pretty comfortable with that response. Having worked on both the campus and vendor sides of vendor assessments, I know how the SOC2 audit process can easily slip so there's an apparent gap between Type 2 report coverage dates. I'd actually view the delay and bridge letter as a positive since it usually means they're digging into some deficiencies and fixing them as part of the overall audit process. Evasive answers are always a red flag to me. If you're getting your answers from the sales org, try to get someone from the security team to meet with you instead. They're usually more transparent and don't have a sales commission on the line. - Chris --- Christian Schreiber, CISM, PMP Office: 520.497.3614 Email: chris () cschreiber llc Web: www.cschreiber.llc C Schreiber LLC Simplify your university cybersecurity strategy Sent from a mobile device. Please excuse any typos. ________________________________ From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Vince Bonura <vbonura () FORDHAM EDU> Sent: Monday, September 13, 2021 4:26:42 PM To: SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] HECVAT help Chris, I greatly appreciate the quick response! I asked a different vendor, who also sent an outdated SOC2, to send an updated version. I was instead provided a "Bridge Letter" from their CISO, attesting that the controls tested and verified the year prior were still in place. This was to appease me until they could provide a current report next month. The problem is that our Wellness Group wanted to finalize this contract two weeks ago! I just told them that I could not approve the vendor's risk controls as reported. While I was hoping to avoid this step, I sent the Wellness Group an IRQ and a DDQ to the vendor. However, the vendor I referred to in my original post has given evasive answers to pointed questions AND has provided two outdated reports. This is a vendor that one of our colleges wanted to be signed two weeks ago too. P.S. - Contract reviews and our internal process flow are new to me. So, I am going through a crash course in vendor report reviews. Vince Bonura IT Risk Analyst Fordham University (718) 817-1875 On Mon, Sep 13, 2021 at 5:12 PM Christian Schreiber <chris () cschreiber llc> wrote: Vince - I would always push for a SOC 2 / Type 2 first. If they have mature processes they should be able to readily produce their current version. The HECVAT is a good option if they don't have a report from their auditor, but I'd also view the lack of a SOC report as a red flag about the maturity of their internal controls and security program. Keep in mind the SOC 2 / Type 2 is attesting to the efficacy of their controls over a 12 month period, so it's not unusual to see one that was produced around a year earlier. I'd ask the vendor point blank when they'll have their updated report available. It could mean they're remediation something before finalizing the report, or they may have decided to let the whole process lapse. You're within your right as a customer to find out so you can make an informed decision about the risk of working with them. Similarly, if the HECVAT is a year old I'd push for updated verification from them that their answers are still relevant. Hope that helps. - Chris --- Christian Schreiber, CISM, PMP Office: 520.497.3614 Email: chris () cschreiber llc Web: www.cschreiber.llc C Schreiber LLC Simplify your university cybersecurity strategy Sent from a mobile device. Please excuse any typos. ________________________________ From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> on behalf of Vince Bonura <vbonura () FORDHAM EDU<mailto:vbonura () FORDHAM EDU>> Sent: Monday, September 13, 2021 3:51:59 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> Subject: Re: [SECURITY] HECVAT help George, Your post is timely! I just attended a HECVAT Working Group meeting and wanted to ask a related question. I joined the workgroup with hopes of gaining an understanding of the HECVAT and how it should be used. While I know the basic concept, I am just now reading my first vendor completed HECVAT that I received last Thursday. The question I wanted to ask is: What’s the comparison between a SOC2, Type 2 and the HECVAT? I originally requested a SOC2, Type 2 report from the vendor and received one dated 6/30/20. When I asked for a current copy, I was told that they completed a HECVAT and would supply that. The HECVAT I received from the vendor is dated 6/22/20. My assumption is that an outdated HECVAT is no better than an outdated SOC2, Type 2. Does everyone agree? Thank you. Vince Bonura IT Risk Analyst Fordham University (718) 817-1875 From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> on behalf of Viegas, George <viegas () CHAPMAN EDU<mailto:viegas () CHAPMAN EDU>> Date: Monday, September 13, 2021 at 4:38 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> Subject: [SECURITY] HECVAT help Hi Brian, I’m looking for resources to help understand how to read the HECVAT, specifically how to know what is a fully completed submission v/s an incomplete. The EDUCAUSE HECVAT webpage did not have resources to help me read and use a HECVAT. Could you please help me find the right resource? Thanks, -George George Viegas, CIPP-US, CISSP, CISA Chief Information Security Officer/Privacy Champion Chapman University, Orange CA viegas () chapman edu/ 714-744-7979<mailto:viegas () chapman edu/%20714-744-7979> Secure your Chapman Account today @ 2fa.chapman.edu<https://nam11.safelinks.protection.outlook.com/?url=http%3A%2F%2F2fa.chapman.edu%2F&data=04%7C01%7Cchris%40CSCHREIBER.LLC%7Cd1f2b3bd0562451f194b08d976fd467f%7C18c077a173f64e91ac2977b69ff7c44a%7C0%7C0%7C637671652452166340%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=aEBdJPtFIzGSuXkJ9NZ66gYMcrbq58vst8pgPxriGxA%3D&reserved=0> ! ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__nam11.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Furldefense.proofpoint.com-252Fv2-252Furl-253Fu-253Dhttps-2D3A-5F-5Fwww.educause.edu-5Fcommunity-2526d-253DDwMFAg-2526c-253DaqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM-2526r-253DNk8cCINtlhG31-2DFfb7ODxRPQfUwqyHQCQ2enNUcj0Vc-2526m-253DW-5FAzyw64JNH4aaeAC7Tmd2Ga8nHTEyfLtiAlQHgWYLI-2526s-253D6WXhTghqS-5FVlwkAhMTD3CCgBCeaR4FSWo-2DKqScNBeOA-2526e-253D-26data-3D04-257C01-257Cchris-2540CSCHREIBER.LLC-257C2628de80117e4fdb418208d976f857f4-257C18c077a173f64e91ac2977b69ff7c44a-257C0-257C0-257C637671631300490106-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C1000-26sdata-3DH00QTLBu5aJE-252FDqFp9y0OlalzX0loERI38MT1P2gAk4-253D-26reserved-3D0%26d%3DDwMF-g%26c%3DaqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM%26r%3DNk8cCINtlhG31-Ffb7ODxRPQfUwqyHQCQ2enNUcj0Vc%26m%3Dv_ejzAaiGZw_jg4GJ60VR-fXd9JRHiEkgkQsdIthz8U%26s%3D4Wht3xP2nfo6c4gaD52vI3b69GKVu32NEiPclQaM-YI%26e%3D&data=04%7C01%7Cchris%40CSCHREIBER.LLC%7Cd1f2b3bd0562451f194b08d976fd467f%7C18c077a173f64e91ac2977b69ff7c44a%7C0%7C0%7C637671652452176306%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=U2Xw9lWfx3l0jwZQYcnYdERGIVz8b2Bmva6oM4qXXF0%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__nam11.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fwww.educause.edu-252Fcommunity-26data-3D04-257C01-257Cchris-2540CSCHREIBER.LLC-257C2628de80117e4fdb418208d976f857f4-257C18c077a173f64e91ac2977b69ff7c44a-257C0-257C0-257C637671631300500065-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C1000-26sdata-3DaLwXakYgqM7QnjyRQIttd9iy9sSVIoXDzET30zo7fo0-253D-26reserved-3D0%26d%3DDwMF-g%26c%3DaqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM%26r%3DNk8cCINtlhG31-Ffb7ODxRPQfUwqyHQCQ2enNUcj0Vc%26m%3Dv_ejzAaiGZw_jg4GJ60VR-fXd9JRHiEkgkQsdIthz8U%26s%3DzVE298tdhkbs3MIGR1VjlAS3eExKdWu7TVgnLbDqSy4%26e%3D&data=04%7C01%7Cchris%40CSCHREIBER.LLC%7Cd1f2b3bd0562451f194b08d976fd467f%7C18c077a173f64e91ac2977b69ff7c44a%7C0%7C0%7C637671652452176306%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=8E5XFiSnYdezFrl6x1MKgjncAOAPwEqCCiY0uLrMGo4%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__www.educause.edu_community%26d%3DDwMF-g%26c%3DaqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM%26r%3DNk8cCINtlhG31-Ffb7ODxRPQfUwqyHQCQ2enNUcj0Vc%26m%3Dv_ejzAaiGZw_jg4GJ60VR-fXd9JRHiEkgkQsdIthz8U%26s%3D08lmbbTksPGhQ4TCK5XJDjBjK-5ltDbO6pcUuo5i_44%26e%3D&data=04%7C01%7Cchris%40CSCHREIBER.LLC%7Cd1f2b3bd0562451f194b08d976fd467f%7C18c077a173f64e91ac2977b69ff7c44a%7C0%7C0%7C637671652452186255%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=rJW1sQzNChVBGLH%2BrKLu9GjqnTTbt6SXhp1z7%2FkdYvQ%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Cchris%40CSCHREIBER.LLC%7Cd1f2b3bd0562451f194b08d976fd467f%7C18c077a173f64e91ac2977b69ff7c44a%7C0%7C0%7C637671652452186255%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=NZ0mWk00HJUPa7TacXXUs8Tv5sU2X9CYmmSuNNVHYlQ%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- HECVAT help Viegas, George (Sep 13)
- Re: HECVAT help Vince Bonura (Sep 13)
- Re: HECVAT help Christian Schreiber (Sep 13)
- Re: HECVAT help Vince Bonura (Sep 13)
- Re: HECVAT help Christian Schreiber (Sep 13)
- Re: HECVAT help Shane Kroening (Sep 14)
- Re: HECVAT help Christian Schreiber (Sep 13)
- Re: HECVAT help Vince Bonura (Sep 13)