Presentation is loading. Please wait.

Presentation is loading. Please wait.

Leveraging the HECVAT for Cloud Vendor Assessments

Similar presentations


Presentation on theme: "Leveraging the HECVAT for Cloud Vendor Assessments"— Presentation transcript:

1 Leveraging the HECVAT for Cloud Vendor Assessments

2 Introductions

3 What the HECVAT Project is two years old
Goal to simplify, expedite and get higher quality assessments A win for the schools and the vendors HLPP-04; PPPR some new have nothing yet. It is a measure of their maturity; allows feedback. Arrogant – keep on harping on transparency; keep on letting them know where the industry is moving

4 HECVAT Phase 2 Updated HECVAT Crosswalk Cloud Broker Index (CBI)
HLPP-04; PPPR some new have nothing yet. It is a measure of their maturity; allows feedback. Arrogant – keep on harping on transparency; keep on letting them know where the industry is moving

5 Crosswalk CIS Critical Controls HIPAA ISO:27002:2013
NIST Cybersecurity Framework NIST r1 NIST r4

6 HECVAT & the CBI CBI = Cloud Broker Index
Balance accessibility with privacy

7 HECVAT & the CBI REN-ISAC proactively reach out to vendors
We currently have a list of 20 interested vendors REN-ISAC proactively reach out to vendors Please send vendors to us! We can provide scripted outreach as needed Universities working with certain vendors provide facilitation Box – our first vendor! 3 others now posted Vendors come to REN-ISAC requesting participation

8 CBI

9 Cloud Broker Index (CBI)
Public: Hosted and linked on REN-ISAC web site Vendor sends completed assessment to Public2: Vendor hosts, REN-ISAC links Vendor sends the link to completed questionnaire Semi-public:  Vendor hosts, REN-ISAC links Vendor hosts behind paywall, sends the link and information Private:  Vendor controls, REN-ISAC links Vendor keep private, send instructions on how people can request

10 HECVAT & the CBI

11 West Virginia University’s Case Study

12 WVU’s vendor assessment process
new or recurring request assessment criteria HECVAT used here provided by vendor completed by WVU

13 Questionnaire On-line form Uses HECVAT questions
Vendor results compiled for analysis

14 What’s Next Current process has limits
Purchasing a Governance Risk and Compliance system HECVAT to be used in the vendor assessment module

15 Indiana University Case Study

16 The early years of assessment were primarily performed ad-hoc
Third-party Security Assessment (3PA) request came in An engineer or analyst would assess per individuals strengths Depth of assessment and reporting style varied greatly Original safeguard questionnaire(s) had a technical focus Our old ways couldn’t keep up with the new reality Giving background on where IU began in its third-party security assessment program. Technical only reviews with inconsistent reporting. All business process and integration questions were done ad-hoc, per request.

17 We moved away from pure technical to include strategy and business operations
Needed a way to assess RFP responses more efficiently The needs of our data stewards grew with service adoption and with it, our process Security Office Data Stewards Assess Report RFP Cloud Dept. Protect Data! Community We had been doing this before the HECVAT was released but it was slow-going and not fully vetted. Our needs and what HECVAT offered were a near-perfect match. More and more of our questions were focused on process and data, the old questionnaire couldn’t keep up. Community: Demands increased, processes that used to be “out of scope” were no longer, adoption of services/software continues to rise SO: Our assessment capabilities had to grow to match expectations for data stewards decision-making and community strategy Data stewards: As adoption grew, concern followed. More to protect now, more important now to protect!

18 Leveraging the HECVAT, IU could prioritize process improvements
RFP Training Standardize Onboard Reporting* Better efficiency (HECVAT & HECVAT-Lite) Standardization of the “middle” allowed us to focus on our onboarding phase (10/80/10) > (Onboarding/HECVAT Assess/Report) ”the lopsided turtle” slide Adopting the HECVAT created a spark that was not expected

19 University of Toronto Case Study

20 I have a HECVAT – now what?
Case study The Good The Arrogant The New

21 Documented InfoSec policy?
Good – Yes; reviewed, updated, and approved by management at least annually. Arrogant - Proprietary and Confidential New – Yes; document attached HLPP-04; PPPR some new have nothing yet. It is a measure of their maturity; allows feedback. Arrogant – keep on harping on transparency; keep on letting them know where the industry is moving

22 Scan for vulnerabilities < new release
Good - manual and automated built in; Weekly web application vulnerability scans Arrogant – Provide documentation that a scan was performed. New - Scan prior to deployment; actively developing ability to provide results. HLAP-05 – like the fact the HECVAT is helping New groups improve; same comment for the arrogant

23 Data input validation The good
must validate all inputs against acceptable values for the context. performs daily web application scanning to validate Input Validation and Sanitization techniques. HLAP lovely answer – can we point to the example on the ren-isac page; If we do, still need to validate. We ask for the soc documents

24 Data input validation The arrogant – and wrong answer
This is for LMS integration. Authentication and authorization data will result from School administrator configured tools and the LMS. Direct authentication is not in scope and not available for this integration

25 Data input validation The New
examples of validation error messages are given in the User Guide. follows OWASP recommendations for data validation best practices.

26 Log security/Authz changes?
Good – Available; integrates with SIEM Arrogant - Proprietary and confidential; Screen shot could be provided New – basically everything logged; No Customer view mentioned

27 Cloud Security New Data Streams: New Disclosures, New Uses
Unauthorized Processing/Secondary Purposes Covert Surveillance Breach Detection, Remediation and Reporting Data Permanence Loss of Access Jurisdiction Contracts – Vendors charge – add to contract What

28 Cloud Vendor contracts
Define access to data for incident analysis Will they inform you of a breach? How do you carry out an incident analysis? Will your access to the data cost money? Who informs your users? They should be your agent

29 Cloud Vendor Contracts cont
Continued Security audits Retention of data Jurisdiction concerns Define location – easy to move

30 Cloud Vendor Contracts cont
Vendor Lock in Define data format; exit terms Vendor third parties The Vendor is your agent – what about the vendor’s third parties? Do you know what contract the vendor has with their third parties to protect the information? The contract should state their 3rd parties protect to the same level

31 Call to Community Commit to HECVAT Allow referencing Educate Vendors
Give feedback

32 Phase 3 Engage vendors Automated triage For HECVAT awareness
CBI participation Automated triage

33 Educause Webinar For Educause vendor partners to learn about the HECVAT July 30th 1:30 ET

34 Tools to Triage Automate scoring of HECVAT
Highlight areas of possible deficiency May not cover the full HECVAT question list

35 Feedback and Questions


Download ppt "Leveraging the HECVAT for Cloud Vendor Assessments"

Similar presentations


Ads by Google