Strategies for Streamlining Security Assessments using HECVAT Presented
- Slides: 69
Strategies for Streamlining Security Assessments using HECVAT Presented by: Joshua Callahan • Susan Coleman • Charles Escue • Brian Kelly • Nick Lewis
Welcome and Introductions
Welcome and Introductions • Your name, your school, why you’re here • Where are you in your cloud journey? • When you say infosec, what do you mean? • When you say cloud, what do you mean?
Report Out • Are you using HECVAT? If not, why not? • Summary of the discussion • What do you want to get out of this workshop?
Resources • HECVAT website: • https: //library. educause. edu/resources/2016/10/hi gher-education-cloud-vendor-assessment-tool • Cloud Broker Index: • https: //www. ren-isac. net/publicresources/hecvat. html
Agenda ▪ Background o o o Cloud strategies Internal Partners and collaborations HECVAT Walk through a HECVAT Assessment Developing a Comprehensive Vendor Assessment Program
Agenda (continued) ▪ Comprehensive Vendor Assessment Programs ▪ Campus examples ▪ 2 pm: Break
Conference Session ▪ Will be a subset of this seminar ▪ Hoping you become an evangelist! ▪ Bring peers and colleagues even in other areas
Background
Cloud Strategy ▪ Do you have a cloud strategy? ▪ Is the concept still valid? ▪ Changes that the cloud resolution caused
What the HECVAT ▪ History ▪ Unique collaboration ▪ Ongoing Working Group and Governance
Project Inspiration ▪Campuses are rapidly adopting cloud services and deploying software systems ▪Assessing the risk for cloud services and software systems as quickly as possible ▪Developing vendor risk management programs ▪Developing enterprise risk management programs ▪Too much to do to effectively do it all!
The Job to Be Done ▪How to as easily and quickly as reasonably possible share work done at one campus with other campuses ▪Freeing up time & resources to dedicate back to critical information security functions ▪Create a forum/space to share and find existing shared assessments ▪Build on the existing higher education information security community sharing ▪Ease vendor burden in responding to security and privacy product assessment requests
What the HECVAT! ▪Project is three years old ▪Goal to simplify, expedite and create higher quality assessments ▪A win for institutions and vendors alike
The HECVAT working group is the best!
HECVAT Core Team Jon Allen, Baylor University Josh Callahan, Humboldt State University Charles Escue, Indiana University Staff Liaisons from EDUCAUSE, Internet 2, and REN-ISAC Valerie Vogel, Brian Kelly, Nick Lewis, Susan Coleman
Phase 4 Volunteers – Many Thanks! • • • • Jon Allen, Baylor University (working group chair) Matthew Buss, Internet 2 Josh Callahan, Humboldt State University Andrea Childress, University of Nebraska Tom Coffy, University of Tennessee Susan Cullen, CSU Office of the Chancellor Michael Cyr, University of Maine System Debra Dandridge, Texas A&M University Niranjan Davray, Colgate University Charles Escue, Indiana University Carl Flynn, Baylor University Ruth Ginzberg, University of Wisconsin System Sean Hagan, Yavapai College • • • • Daphne Ireland, Princeton Amy Kobezak, Virginia Tech Sue Mc. Glashan, University of Toronto Hector Molina, East Carolina University Mark Nichols, Virginia Tech Laura Raderman, Carnegie Mellon University Kyle Shachmut, Harvard University Bob Smith, Longwood University Kyle Smith, Georgia Tech Christian Vinten-Johansen, Penn State University Valerie Vogel and Brian Kelly, EDUCAUSE Nick Lewis, Internet 2 Susan Coleman, REN-ISAC
Campuses Using the HECVAT American University Drexel University Morgan State University of Delaware Appalachian State University Duquesne University Northern Arizona University of Denver Art Institute of Chicago East Carolina University Oakland University of Idaho Bates College Ferris State University Ohio Northern University of Maine System Baylor University Foothill-De Anza Community College District Oregon State University of Maryland Baltimore Berry College Franklin & Marshall College Pace University of Massachusetts Amherst Boston College Georgia Institute of Technology Pepperdine University of Oregon Bowling Green State University Hillsborough Community College Princeton University of Portland Brown University Indiana University Radford University of Rhode Island California Baptist University Indiana Wesleyan University Rice University of Richmond California State University, all Campuses and System. Institute for Advanced Study Rutgers University of Tennessee, Knoxville Carnegie Mellon University John Carroll University Sam Houston State University of Texas at Austin Carthage College Kent State University Southern Alberta Institute of Technology Virginia Tech Champlain College Le. Tourneau University Springfield College West Texas A&M University Clarkson University Linfield College Stony Brook University West Virginia University Columbus State Community College Longwood University Suffolk County Community College Western Carolina University Cornell University Madison College Susquehanna University Western Michigan University Davidson College Marylhurst University Texas State University William & Mary Denison University Miami University Troy University Williams College De. Sales University Montclair State University Truman State University Yavapai College Drake University Montgomery College University of California, Davis
Phase 4 Deliverables • On-Prem version of HECVAT! • Triage tool inclusion with HECVAT! • Other updates to the questionnaires
Updates in the last year • Engagement to Service Providers • HECVAT for GCP, Last. Pass, and others • Engagement with 3 rd party risk service providers • Marketing and communications • IT Accessibility • Contracts • Naming! Still HECVAT.
Overview of HECVAT
Vendor guidance improves responses
Vendor response expectations were clarified
Aligning reports to industry standards assist in the HECVAT integration process
The Analyst report provides function to move qualitative results into quantitative scoring
The new HECVAT scoring function provides an excellent starting point for evaluation efforts
The Summary Report gives a quick view of a vendor's security state
Different Versions of the HECVAT Tool • HECVAT (full questionnaire) • HECVAT Lite • HECVAT On-Prem • HECVAT Triage
HECVAT - Demo
Developing a Comprehensive Vendor Assessment Program
Increase Campus Involvement ▪ Success is dependent on campus involvement ▪ Shorten the review cycle ▪ Improve the quality of responses
Campus Partnerships ▪ Procurement ▪ Legal ▪ Audit ▪ Campus Departments
Contracts o Frame the conversation o A key security control o Service addendum (example)
Using HECVAT in Procurement
Campus Procurement o o How does campus procurement work from the IT Department perspective? IT Department, Information Security, and Procurement at times work closely on campus wide projects
HECVAT in Procurement o o o How are campuses including HECVAT in their procurement? Procurement may collect the questionnaire for the infosec team to review Some campuses are including HECVAT in annual reviews, renewals, etc.
Managing Vendor Risk o o o Information Security is one aspect of managing Vendor or 3 rd Party risk Campuses are now including information security requirements in their agreements HECVAT is one potential component
Cloud Broker Index https: //www. renisac. net/hecvat/cbi. html
HECVAT & the CBI o CBI = Cloud Broker Index o HECVAT Phase 2 o Convenience o Single source o Balance accessibility with privacy
Service Providers Using HECVAT 20 Service Providers with 27 HECVATs!
Service Providers Including HECVAT in their tools 8 Service Providers
HECVAT & the CBI REN-ISAC proactively reach out to vendors Universities working with certain vendors provide facilitation Vendors come to RENISAC requesting participation • Please send vendors to us! • hecvat@ren-isac. net • We can provide scripted outreach as needed
Cloud Broker Index (CBI) Public: • Vendor sends completed assessment to HECVAT@REN-ISAC. net Public 2: • Hosted and linked on REN-ISAC web site Vendor hosts, REN-ISAC links Vendor sends the link to completed questionnaire Semi-public: Vendor hosts, REN-ISAC links • Vendor hosts behind paywall, sends the link and information Private: Vendor controls, REN-ISAC links • Vendor keep private, send instructions on how people can request
Vendor Partner Value ▪ Shows engagement in the procurement conversation ▪ Reduce redundant use or staff ▪ Increase quality of assessments ▪ Differentiation in the marketplace ▪ Being seen as engaged with the community ▪ Getting contacts at potential customers
Vendor Partner Value
Assessment Report ▪ HECVAT gathers the information ○ Provides triage ▪ Communicating risk and recommendation ▪ Sets expectations for business and technical implementation
Example Report • Project Overview • Point of Contact • System Description
Example Report continued • Supported technologies (optional) • System administration and authentication • Data security
Example Report continued • Application auditing • Solution overview • System • Hosting • Software • Content • On premise needs
Example Report continued • Assumptions • Security risks • Recommendations
Example Report continued • Related documents • Summary
Review Process • Submission • Review • Security Review • Departmental Approval
Campus Examples
Indiana University Case Study
The early years of assessment were primarily performed ad-hoc Third-party Security Assessment (3 PA) request came in An engineer or analyst would assess per individuals strengths Depth of assessment and reporting style varied greatly Original safeguard questionnaire(s) had a technical focus Our old ways couldn’t keep up with the new reality
We moved away from pure technical to include strategy and business operations o o Needed a way to assess RFP responses more efficiently The needs of our data stewards grew with service adoption and with it, o process RFP Cloud Assess Report Protect Data! Dept. Community Security Office Data Stewards
After adopting the HECVAT, IU prioritized risk assessment process improvements HECVAT Standardization Operations Reporting
California State University Case Study
How We Got Here The Problem The Goal The 23 campuses in the system and our Chancellor’s Office have widely varying IT procurement processes. Additionally, we often use different definitions. We set out to develop a common vendor assessment process that produces a risk ranking. This would allow subsequent campuses to review that score and decide if the solution falls within their risk appetite. That led us to a common set of procurement forms and to standardize on asking for the HECVAT
Let’s Play 300 Questions! • One challenge was the length, both filling out and reading – could we automate the scoring? • We started with a separate scoring spreadsheet that could read a filled HECVAT and produce some numerical scoring
Call to Community and Future Direction
Call to Community • Commit to HECVAT • Allow referencing • Educate Vendors • Give feedback
Future Direction – Phase 5 • Brainstorm on ideas for the next phase • Engage with existing working group members and new members to develop workplan. • Ongoing operations • We want your input!
Consulting and Discussion
Feedback and Discussion
Session Evaluations There are two ways to access the session and presenter evaluations: 1 2 In the online agenda, click on the “Evaluate Session” link From the mobile app, click on the session you want from the schedule > then scroll down or click on the associated resources > and the evaluation will pop up in the list
Resources • HECVAT website: • https: //library. educause. edu/resources/2016/10/hi gher-education-cloud-vendor-assessment-tool • Cloud Broker Index: • https: //www. ren-isac. net/publicresources/hecvat. html
- Penilaian strategi
- Hecvat lite
- Hecvat assessment
- Private securit
- Security strategies in windows platforms and applications
- Security strategies in windows platforms and applications
- Security strategies in linux platforms and applications
- Security strategies in windows platforms and applications
- Www.jblearning.com login
- Hedging strategies using futures
- Derivatives hedging strategies
- Imperfect hedge
- Hedging strategies using futures and options
- Fspos
- Novell typiska drag
- Tack för att ni lyssnade bild
- Vad står k.r.å.k.a.n för
- Varför kallas perioden 1918-1939 för mellankrigstiden
- En lathund för arbete med kontinuitetshantering
- Personalliggare bygg undantag
- Tidböcker
- Anatomi organ reproduksi
- Förklara densitet för barn
- Datorkunskap för nybörjare
- Stig kerman
- Hur skriver man en tes
- Delegerande ledarstil
- Nyckelkompetenser för livslångt lärande
- Påbyggnader för flakfordon
- Kraft per area
- Offentlig förvaltning
- Jag har gått inunder stjärnor text
- Presentera för publik crossboss
- Teckenspråk minoritetsspråk argument
- Plats för toran ark
- Klassificeringsstruktur för kommunala verksamheter
- Luftstrupen för medicinare
- Bästa kameran för astrofoto
- Centrum för kunskap och säkerhet
- Verifikationsplan
- Mat för unga idrottare
- Verktyg för automatisering av utbetalningar
- Rutin för avvikelsehantering
- Smärtskolan kunskap för livet
- Ministerstyre för och nackdelar
- Tack för att ni har lyssnat
- Hur ser ett referat ut
- Redogör för vad psykologi är
- Stål för stötfångarsystem
- Tack för att ni har lyssnat
- Borra hål för knoppar
- Orubbliga rättigheter
- Stickprovsvarians
- Tack för att ni har lyssnat
- Rita perspektiv
- Vad är verksamhetsanalys
- Tobinskatten för och nackdelar
- Toppslätskivling effekt
- Mästar lärling modellen
- Egg för emanuel
- Elektronik för barn
- Mantel för kvinnor i antikens rom
- Strategi för svensk viltförvaltning
- Kung dog 1611
- Humanitr
- Romarriket tidslinje
- Tack för att ni lyssnade
- Vilka tal pekar pilarna på
- Olika rim dikter
- Inköpsprocessen steg för steg