Shared Cloud Security Assessments Update
Coauthored by Jon Allen, Joanna Grama, Kim Milford and Nick Lewis
Sometimes working groups move so fast that it's difficult to keep the broader community updated frequently. The Shared Cloud Security Assessments (HECVAT) working group is one of those groups! We've slowed down a little for the summer, so I’m going to summarize the progress since our last update in March 2017 before the Internet2 Global Summit and EDUCAUSE Security Professional conference presentations. As I write this, I realize how much this great group of dedicated information security professionals has gotten done! Onto the updates:
- One of the most frequent comments we've heard is that the assessment tool is too long. We have been focused on trying to save the community time and have put together a new edition of the tool called the HECVAT-Lite. It has the metadata related questions, sharing responses, as well as answers to the most critical questions from campuses. We are going to keep the question text in sync with the main tool so that the data can be compared between the two versions. We are still working on streamlining the questionnaire and welcome your feedback.
- We have also been working on adding crosswalks in the questionnaire so campuses can quickly see how a particular response would map to other standards or requirements. We'll include the crosswalk in the next version of the tool.
- The working group has a survey we'd like campuses to complete to help us gather metrics on the use of the HECVAT, perceived vendor reaction to the HECVAT, and suggestions for further improvements and refinements. Please take our quick 13 question survey and share your feedback. We've reviewed the preliminary responses and would like to get some additional campus feedback to fine-tune our work.
- In the NET+ program, we’ve added the HECVAT to the standard documents we collect for service providers. More updates on this to come out soon in a separate blog post.
- We continue to get questions about how to share completed HECVATs, where to find them, etc. We’re still working on more details and a specific sharing paper, so expect more updates soon on that! We know that is one of the priorities the community is looking for.
- As part of the sharing paper discussions, we have also discussed how to engage with potential service providers. If you're a service provider interested in participating, please contact us. If you have a specific service provider you're interested in working with, please let us know so we can work on coordinating efforts and reducing duplicate work across campuses.
- As part of EDUCAUSE’s Industry and Campus Webinar series, the webinar on Demystifying Third-Party Vendor Risk in Higher Ed might be of some interest to campuses.
- Our dedicated, task-oriented chair, Jon Allen, was recently profiled in EdScoop about the importance of working with other community members and interested organizations in tackling really big IT problems for campuses.
We received several requests from different campus, regional, and national groups about giving a presentation to their communities on our work. Be on the lookout for local presentations near you!
We also received feedback that many members of our community are unfamiliar with our work. We’re trying to reach out as much as we can. Please let us know if you'd like a presentation scheduled (remotely or in-person) and we’ll do our best to accommodate requests.
If you have any questions or feedback, please feel free to reach out to us. We greatly appreciate all of the feedback we've gotten so far!