Re: HECVAT - Vendor Refusal

[Kevin Cleary <kpcleary () BUFFALO EDU>]

While we don't use the HECVAT in all instances we use a home grown tool that
is heavily inspired by it.  In some instances, if the vendor is able to
provide alternate documentation such as a HECVAT, SOC2, third party
assessment, etc., we can use these documents instead for the review process.

 

We only require completion of a vendor review process when:

*       A certain dollar threshold is met
*       The data classification meets our category 1 or 2 standards
*       Some type of expectation exists for backend system integration (such
as SSO) and/or data provisioning.

 

We've had some instances where a vendor has refused to complete this and
provide no other documentation as it was "too much work" for them.  My off
the cuff response to this is typically "well how bad do they want to do
business with us".  My internal monologue is "well if this is too difficult,
how good of a job do they do maintaining security on their systems" :-P.

 

Regardless of their reasons for not completing this process, we do have an
exception process in place:  

 

In the event the vendor is unable to provide sufficient evidence of a
well-implemented security program and the business unit persists with the
purchase despite being told of the risks involved, our VP CIO and the
Dean/VP of the area pushing for the acquisition have to sign off on the
exception.  

 

--

Kevin Cleary, CISSP

Interim Information Security Officer

Manager, Systems Software

University at Buffalo Information Technology

305 Computing Center

Buffalo NY 14260-1407

Phone:  716-645-4767

 

From: The EDUCAUSE Security Community Group Listserv
<SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of King, Ronald A.
Sent: Tuesday, June 15, 2021 10:34 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] HECVAT - Vendor Refusal

 

These are some very good points. I especially like the comment it's your
responsibility to perform your evaluations as you see fit. The
classification of the data is the institutions responsibility, not the
vendor. That is a red flag that and would make us less likely to use their
product. They do not understand your needs.

 

I have found that once the vendors do complete it, they are relieved they
have and reuse it for new clients. I have even had one VP report to me that
the fact they had completed it for my institution gave them opportunities
with other institutions. They increased business because of it. What vendor
would not want to do that.

 

Thank you,

Ronald King

Director of OIT Security

 

With Office 365, you can report a message as phishing or junk. Using Outlook
in a web browser or the mobile Outlook app, start by clicking/tapping
"Junk/Report Junk!" 

 

Office of Information Technology

(757) 823-2916 (Office)

 <mailto:raking () nsu edu> raking () nsu edu

 
<https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.nsu.ed
u%2F&data=04%7C01%7Ckpcleary%40buffalo.edu%7Ce50f07d899b24abfdf7a08d9300aacc
b%7C96464a8af8ed40b199e25f6b50a20250%7C0%7C0%7C637593644681249077%7CUnknown%
7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn
0%3D%7C1000&sdata=d%2BHKJE%2F9KA4DxEzw0PqFMNsLuRIkJHQEMPokWBeLjz8%3D&reserve
d=0> www.nsu.edu

@NSUCISO (Twitter)



 

From: The EDUCAUSE Security Community Group Listserv
<SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> > On
Behalf Of Kimmitt, Jonathan
Sent: Tuesday, June 15, 2021 10:15 AM
To: SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> 
Subject: Re: [SECURITY] HECVAT - Vendor Refusal

 

CAUTION:  This email originated from OUTSIDE of the organization. Do not
click links or open attachments unless you recognize the sender and know the
content is safe!

Ah..   Okay..  

 

So, what I do, in lieu of the HECVAT (and I can't choose a different
vendor), is a standard data rider agreement that we ask them to sign along
with the contract that covers most of the critical pieces..  

 

I'm happy to share if interested...

 

-Jonathan

 

 

 

 

 

~

Jonathan Kimmitt

CISSP, FIP, CDPSE, CIPP/E, CIPM, CIPT, 

OTCP, GLEG, GPEN, GSNA, PCIP, CEH

Chief Information Security Officer

Information Technology

The University of Tulsa

918.631.2743

 

 

 

 

From: The EDUCAUSE Security Community Group Listserv
<SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> > On
Behalf Of Menne, Michael S
Sent: Tuesday, June 15, 2021 9:09 AM
To: SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> 
Subject: Re: [SECURITY] HECVAT - Vendor Refusal

 

Johnathon,

They disagree with the intent of the HECVAT vs lite.  They consider the
HECVAT to be only for he most restricted data (HIPAA, PCI, SSN, etc). They
consider the HEVAT lite to be good enough for "sensitive" data.  This is a
vendor that a department on campus want to move an existing on-premise
solution to a cloud version.  I like the scoring feature of the HECVAT.  I
haven't used the HECVAT lite a lot so far. The HECVAT has a good set of
questions that allow me to get assurances of how a vendor handles their data
security. 

 

 

 

 

From: The EDUCAUSE Security Community Group Listserv
<SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> > On
Behalf Of Kimmitt, Jonathan
Sent: Tuesday, June 15, 2021 8:45 AM
To: SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> 
Subject: Re: [SECURITY] HECVAT - Vendor Refusal

 

Did they give you a reason why they won't fill it out?

 

I've had several that have refused. some we move to the next vendor, some we
have signed NDA's to get the information...

 

-Jonathan

 

 

 

From: The EDUCAUSE Security Community Group Listserv
<SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> > On
Behalf Of Ruth Ginzberg
Sent: Tuesday, June 15, 2021 8:43 AM
To: SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> 
Subject: Re: [SECURITY] HECVAT - Vendor Refusal

 

Agree with Isaac . AND (perhaps because of the success of the HECVAT to
date.) one of the things I'm finding I need to ask for is a RECENT version
of the HECVAT . been getting some moldy oldies from some vendors that really
need to be updated to the current version.

 

Ruth Ginzberg
608-890-3961

 

From: The EDUCAUSE Security Community Group Listserv
<SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> > On
Behalf Of Isaac Straley
Sent: Tuesday, June 15, 2021 8:40 AM
To: SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> 
Subject: Re: [SECURITY] HECVAT - Vendor Refusal

 

*External Email: Use caution responding, opening attachments, or clicking on
links.*

Obvious but just so it's said: It is not up to the vendor what kind of
assurance your program needs. It is entirely their choice if they want to do
what you ask for or not. 

 

Depending on the risk and our internal capacity to analyze, I've accepted
other formats of assurance. But I take a hard look at suppliers who resist
providing information, especially in a reusable vehicle like this. The
answer to "why won't they do this" is an important factor.

 

The HECVAT isn't perfect but we've collectively really done a lot of good
work to reduce the overhead on suppliers and it's a good faith effort to ask
for it, in my opinion.

 

Isaac

 

 

-- 

 

Isaac Straley

Chief Information Security Officer

University of Toronto

 

 

 

From: The EDUCAUSE Security Community Group Listserv
<SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> > on
behalf of "Menne, Michael S"
<000002306ce3cd04-dmarc-request () LISTSERV EDUCAUSE EDU
<mailto:000002306ce3cd04-dmarc-request () LISTSERV EDUCAUSE EDU> >
Reply-To: The EDUCAUSE Security Community Group Listserv
<SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> >
Date: Tuesday, June 15, 2021 at 6:28 AM
To: "SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU>
" <SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> >
Subject: [SECURITY] HECVAT - Vendor Refusal

 

EXTERNAL EMAIL:

For those that have used the HECVAT and HECVATlite, what has your response
been to a vendor who refuses to fill out the full HECVAT and claims that
HECVAT is only required for "sensitive data" (SSN, CC#, etc.)?

 

We have used the HECVAT lite only for situations where the data is
completely public.  In all other situations, we've used the HECVAT. Most
vendors take a few attempts to get the answers we are looking for, but I've
only had one other that has said they won't fill it out at all.

 

Thank you,

 

Michael Menne, CISSP

Chief Information Security Officer

IT Solutions Information Security

Minnesota State University, Mankato

 
<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmankato.m
nsu.edu%2Fcyberaware&data=04%7C01%7Ckpcleary%40buffalo.edu%7Ce50f07d899b24ab
fdf7a08d9300aaccb%7C96464a8af8ed40b199e25f6b50a20250%7C0%7C0%7C6375936446812
59073%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik
1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=PMn%2BIW%2BktzG5kehtiMy0EOxBiOVeerLMQ5XSKC
AJ720%3D&reserved=0> https://mankato.mnsu.edu/cyberaware

 



 

Confidentiality Notice: This e-mail message, including any attachments, is
for the sole use of the intended recipient(s) and may contain confidential
and privileged information.  Any unauthorized review, use, disclosure or
distribution is prohibited.  If you are not the intended recipient, please
contact the sender by reply e-mail and destroy all copies of the original
message.

 

 

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community
list. If you want to reply only to the person who sent the message, copy and
paste their email address and forward the email reply. Additional
participation and subscription information can be found at
https://www.educause.edu/community
<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educa
use.edu%2Fcommunity&data=04%7C01%7Ckpcleary%40buffalo.edu%7Ce50f07d899b24abf
df7a08d9300aaccb%7C96464a8af8ed40b199e25f6b50a20250%7C0%7C0%7C63759364468125
9073%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1
haWwiLCJXVCI6Mn0%3D%7C1000&sdata=B6kaEO8PDf2AC8QXjyhnYRA2W4amD7KyNCQgJOn%2Fn
4U%3D&reserved=0>  

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community
list. If you want to reply only to the person who sent the message, copy and
paste their email address and forward the email reply. Additional
participation and subscription information can be found at
https://www.educause.edu/community
<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educa
use.edu%2Fcommunity&data=04%7C01%7Ckpcleary%40buffalo.edu%7Ce50f07d899b24abf
df7a08d9300aaccb%7C96464a8af8ed40b199e25f6b50a20250%7C0%7C0%7C63759364468126
9066%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1
haWwiLCJXVCI6Mn0%3D%7C1000&sdata=CCq%2BP46%2BMnCorLvlAL4jFL8hKriUOaM8iqHqoD5
izA4%3D&reserved=0>  

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community
list. If you want to reply only to the person who sent the message, copy and
paste their email address and forward the email reply. Additional
participation and subscription information can be found at
https://www.educause.edu/community
<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educa
use.edu%2Fcommunity&data=04%7C01%7Ckpcleary%40buffalo.edu%7Ce50f07d899b24abf
df7a08d9300aaccb%7C96464a8af8ed40b199e25f6b50a20250%7C0%7C0%7C63759364468127
9059%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1
haWwiLCJXVCI6Mn0%3D%7C1000&sdata=9BpO771iNzx2NWp7tOIMs7UYmMB7y4PTQ1Tbtpo%2Bs
HQ%3D&reserved=0>  

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community
list. If you want to reply only to the person who sent the message, copy and
paste their email address and forward the email reply. Additional
participation and subscription information can be found at
https://www.educause.edu/community
<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educa
use.edu%2Fcommunity&data=04%7C01%7Ckpcleary%40buffalo.edu%7Ce50f07d899b24abf
df7a08d9300aaccb%7C96464a8af8ed40b199e25f6b50a20250%7C0%7C0%7C63759364468127
9059%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1
haWwiLCJXVCI6Mn0%3D%7C1000&sdata=9BpO771iNzx2NWp7tOIMs7UYmMB7y4PTQ1Tbtpo%2Bs
HQ%3D&reserved=0>  

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community
list. If you want to reply only to the person who sent the message, copy and
paste their email address and forward the email reply. Additional
participation and subscription information can be found at
https://www.educause.edu/community
<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educa
use.edu%2Fcommunity&data=04%7C01%7Ckpcleary%40buffalo.edu%7Ce50f07d899b24abf
df7a08d9300aaccb%7C96464a8af8ed40b199e25f6b50a20250%7C0%7C0%7C63759364468128
9059%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1
haWwiLCJXVCI6Mn0%3D%7C1000&sdata=7jcfb7mdMzFL9vNeAYCXEXbdXY69ll%2F1h%2FPaCCK
Wsas%3D&reserved=0>  

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community
list. If you want to reply only to the person who sent the message, copy and
paste their email address and forward the email reply. Additional
participation and subscription information can be found at
https://www.educause.edu/community
<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educa
use.edu%2Fcommunity&data=04%7C01%7Ckpcleary%40buffalo.edu%7Ce50f07d899b24abf
df7a08d9300aaccb%7C96464a8af8ed40b199e25f6b50a20250%7C0%7C0%7C63759364468128
9059%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1
haWwiLCJXVCI6Mn0%3D%7C1000&sdata=7jcfb7mdMzFL9vNeAYCXEXbdXY69ll%2F1h%2FPaCCK
Wsas%3D&reserved=0>  

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community
list. If you want to reply only to the person who sent the message, copy and
paste their email address and forward the email reply. Additional
participation and subscription information can be found at
https://www.educause.edu/community
<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educa
use.edu%2Fcommunity&data=04%7C01%7Ckpcleary%40buffalo.edu%7Ce50f07d899b24abf
df7a08d9300aaccb%7C96464a8af8ed40b199e25f6b50a20250%7C0%7C0%7C63759364468129
9048%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1
haWwiLCJXVCI6Mn0%3D%7C1000&sdata=NTxvqzfzWlMJp9Rf5ttGly0vwAgG%2F72NmRPKUK2CI
qk%3D&reserved=0>  


**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Attachment: smime.p7s
Description: