Presentation is loading. Please wait.

Presentation is loading. Please wait.

Streamlining Vendor Risk Management with the HECVAT

Published byClaribel Fields Modified over 6 years ago

Similar presentations

Presentation on theme: "Streamlining Vendor Risk Management with the HECVAT"— Presentation transcript:

1 Streamlining Vendor Risk Management with the HECVAT
PRESENTED BY: Joanna Grama EDUCAUSE; Kim Milford REN-ISAC

2 Agenda Project inspiration and the “job to be done”
Phase I work and completion Phase II deliverables and current status Questions

3 Project Inspiration Campuses are rapidly adopting cloud services and deploying software systems Assessing the risk for cloud services and software systems as quickly as possible Developing vendor risk management programs Developing enterprise risk management programs Too much to do to effectively do it all!

4 This is a big project--so it was divided into two phases.
The Job to Be Done How to easily and quickly share work done in many institutions Free up time & resources for critical information security functions Create a forum/space to share and find existing shared assessments Build on higher education information security community sharing Ease vendor burden in assessment response This is a big project--so it was divided into two phases.

5 Phase I Deliverable www.educause.edu/hecvat
Create a cloud services assessment questionnaire/template that can be used to surface a short executive summary for review & sharing. Collaboration between Internet2, EDUCAUSE, REN-ISAC and its members. The Higher Education Cloud Vendor Assessment Tool (“HECVAT” if you are cool)

6 ANSWER We provided a Manual [in the form of an “Instructions” tab]!
Read The * Manual! PROBLEM No Directions + 100’s of Questions = Insufficient Vendor Responses ANSWER We provided a Manual [in the form of an “Instructions” tab]! Document Layout General Info Sharing Selections Documentation Company Overview Safeguards HECVAT Kim Image: accessed April 20, 2017.

7 Initially, there are four use case specific sections...
# of ?s Summary Third Parties* 4 When a vendor (third party) uses a third party to support their product it is important to document vendor security assessments, any legal agreements, and general use case information. Section requirement based on Qualifier. Consulting* 11 Controlled through a Qualifier. Vendor assessments for consulting services only require only a subset of questions to be answered; the remaining become optional. PCI DSS* 12 Controlled through a Qualifier. The PCI DSS section is required when PCI DSS regulated data is shared. HIPAA* 32 Controlled through a Qualifier. The HIPAA section is required when PCI DSS regulated data is shared. The largest section.

8 Although pioneering and useful, the HECVAT’s scope is specific and it has some limitations
The tool is long and we recognize this could be cumbersome for low risk evaluations Requires significant resources to properly digest and analyze vendor responses May not be appropriate for vendor engagements using lower-level data classifications Kim Analysis - will take time to develop expertise to suss out the +s and -s. Once your internal experts develop a baseline, it will go faster.

9 Phase II Phase II started in March 2017 Deliverables include:
Feedback Gathering HECVAT Lite Crosswalk to standards Sharing infrastructure/proof of concept Joanna HECVAT Lite Is the lite version a subset of the DATA Questions (rows ) in the current HECVAT? Is a lite version needed for “less complex” situations or to flag vendors/products where more review might be needed? Feedback Gathering--What is the institutional experience in using the HECVAT Crosswalk Work--Mapping to infosec standards as needed. Expectations paper--Independent of the HECVAT or other tools, what types of information/documentation do we expect from cloud vendors re security and privacy? Sharing infrastructure paper/proof of concept---This is the big kahuna deliverable

10 Deliverable: HECVAT Lite
The HECVAT is a mere 284 questions This includes qualifying questions for HIPAA and PCI opt-in The HECVAT Lite project is to create a very lightweight version of the HECVAT for use in special situations Short on time? Short on personnel to review? Short on budget? Short on risk?

11 Deliverable: Crosswalk to Standards
Understanding how HECVAT questions compare to industry standards is useful Did we mention, 284 questions? That is a lot to crosswalk. Currently we are reviewing, ISO 27002:2013; NIST SP Controls; NIST SP Controls; NIST Cybersecurity Framework; CIS 20 Critical Security Controls (ver 6.1); HIPAA Security Regs; PCI DSS Regs Joanna Mapping to sub controls is probably an unreasonable expectation Do we want to CSA CCM (which has mappings to other frameworks)? YES, we should This is a big iterative process project

12 REN-ISAC Cloud Broker Index
The Cloud Broker Index provides an up-to-date index of participating vendors with links to their completed assessments.  If a vendor is already listed in the CBI, security assessors at colleges and universities can utilize the posted assessment, saving time for both security assessors and service providers.  If you’d like to see a vendor added to the Index, or if you have feedback, please contact us at and provide us with the vendor, the product, and contact information.

13 Internet2 Cloud Services
Enable cohesive cloud service administration, procurement, and orchestration for campuses Enable enhanced community collaboration around cloud service evaluation and validation Including HECVAT in NET+ Resource for sharing more security information

14 Questions for You Have you used the HECVAT?
Take our survey and share your feedback please!

15 Questions for Us?

16 Thank You! Please be sure to complete the session evaluation so that we can improve our presentation next time!

Download ppt "Streamlining Vendor Risk Management with the HECVAT"

Similar presentations

BalaBit Shell Control Box

BalaBit Shell Control Box
Www.cloudsecurityalliance.org Copyright © 2011 Cloud Security Alliance Cloud Controls Matrix Work Group Session Sean Cordero President of Cloudwatchmen,

Copyright © 2011 Cloud Security Alliance Cloud Controls Matrix Work Group Session Sean Cordero President of Cloudwatchmen,
T-76.4115/5115 Software Development Project I/II Project Planning Jari Vanhanen Ohjelmistoliiketoiminnan ja –tuotannon laboratorio Software Business and.

T /5115 Software Development Project I/II Project Planning Jari Vanhanen Ohjelmistoliiketoiminnan ja –tuotannon laboratorio Software Business and.
1 Purchasing and Procurement Processes Module Four Revision Date: 2/06/2015.

1 Purchasing and Procurement Processes Module Four Revision Date: 2/06/2015.
Windows XP Migration Jumpstart Offering Offering Datasheet The Challenges With less than one year until the end of support for Windows XP, customer are.

Windows XP Migration Jumpstart Offering Offering Datasheet The Challenges With less than one year until the end of support for Windows XP, customer are.
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 12 1.

Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 12 1.
© Cloud Security Alliance, 2015 Sean Cordero, Chair CCM Laura Posey, Chair CAIQ.

© Cloud Security Alliance, 2015 Sean Cordero, Chair CCM Laura Posey, Chair CAIQ.
How to Gain Comfort in Losing Control to the Cloud Randolph Barr CSO - Qualys, Inc SourceBoston, 23. April 2010.

How to Gain Comfort in Losing Control to the Cloud Randolph Barr CSO - Qualys, Inc SourceBoston, 23. April 2010.
10/20/2015 1 The ISMS Compliance in 2009 GRC-ISMS Module for ISO 27001 Certification.

10/20/ The ISMS Compliance in 2009 GRC-ISMS Module for ISO Certification.
User Management: Understanding Roles and Permissions for Schoolnet Schoolnet II Training – Summer 2014.

User Management: Understanding Roles and Permissions for Schoolnet Schoolnet II Training – Summer 2014.
Shared Services Initiative Summary of Findings and Next Steps.

Shared Services Initiative Summary of Findings and Next Steps.
1 March 19, 2008 1 Test Plans William Cohen NCSU CSC 591W March 19, 2008.

1 March 19, Test Plans William Cohen NCSU CSC 591W March 19, 2008.
Society for Maintenance and Reliability Professionals (SMRP)

Society for Maintenance and Reliability Professionals (SMRP)
Create a system that reflects higher education best practices

Create a system that reflects higher education best practices
Law Firm Data Security: What In-house Counsel Need to Know

Law Firm Data Security: What In-house Counsel Need to Know
(3.6) General requirements on resources for the establishment of IMS

(3.6) General requirements on resources for the establishment of IMS
Michael Wright • Chief Security Officer • Tech Lock

Michael Wright • Chief Security Officer • Tech Lock
Use Cloud Computing to Achieve Small Enterprise Savings

Use Cloud Computing to Achieve Small Enterprise Savings
Earth’s Mightiest Heroes: Combating the Evils Lurking in Cyberspace

Earth’s Mightiest Heroes: Combating the Evils Lurking in Cyberspace
Project Management Business Management.

Project Management Business Management.

Similar presentations

Ads by Google