What's Next for HECVAT

Sitting down and writing updates for working groups sometimes doesn't seem like the highest priority, but it is critical for keeping the community engaged and informed. The more involved the community is, the better the outcomes. With work on Phase IV of the Higher Education Cloud Vendor Assessment Tool (HECVAT) under way, the HEISC Shared Cloud Security Assessments working group would like to provide a recap of 2018 activities and share plans for 2019.

Recap of Phase III

We had another extremely productive year during HECVAT Phase III in 2018. Here are the major accomplishments from last year.

• We now have 17 entries in the REN-ISAC Cloud Broker Index (CBI), with many more in the pipeline including Google Cloud Platform. If you have a suggestion for a service provider to add to the CBI or would like to be added to the CBI, please contact [email protected]. Being listed in the CBI shows that a service provider is aware of major areas of interest to the higher education information security community and helps differentiate the service from other services.
• We offered a webinar in July 2018 that specifically targeted the service provider community and described how to use the HECVAT, as well as the benefits to service providers using this community tool.
• HECVAT in now incorporated into the EDUCAUSE Core Data Service survey, module 7 on information security.
• We surveyed the community for feedback on the HECVAT. The working group is still analyzing the data and incorporating community suggestions into this year's (Phase IV) plans.
• More than 50 campuses have allowed us to list them as HECVAT users. Let us know if we can add your college or university. This list helps build community and shows service providers that campuses are adopting the toolkit.
• Internet2 NET+[https://www.internet2.edu/blogs/detail/16778] now requests a HECVAT as part of the program's information security activities.
• We engaged with several service providers to identify potential ways to partner and share the HECVAT more broadly.
• We presented at many events, including EDUCAUSE, Internet2, Treasury Institute, and TouchNet's COMTEC conferences, as well as SXSW EDU, and several regional meetings. We are trying to get the word out to the community and gather feedback during these presentations.

HECVAT V2.0: Changes and Improvements

The most important part of Phase III was developing HECVAT V2.0! The main purpose of the 2018 revisions was to improve decision support built into the tool. Keeping in mind how the tool is distributed and shared, as well as how some service providers and campuses have incorporated the questionnaires into their risk management tools and services, we tried to keep the toolkit as portable as possible. Version 2 now includes a PCI mapping in the standard crosswalk. In order to make the tool easier for both vendors and institutions to use outside the United States, a Data Zone question was added.

We made significant changes to the questions, making them quantitative to support the scoring updates (see the next section for more details about changes to the scoring). This required rewording many questions and changed some numbering in the questionnaire. These changes were used in automated scoring in an Analyst Report worksheet. The Analyst Report worksheet is a summary of the questionnaire with the metadata from the questionnaire around names, contact, dates, and so forth, and it allows you to select your institution's security framework for the reporting. There is a table of the scores broken down by major section, with an overall score at the end. There is a section on qualitative questions, where an analyst can manually score questions that need to remain qualitative. The Summary Report has the overall score and a graph of the scores from the major sections, along with a listing of the noncompliant responses. This can be used to identify the highest areas of risk or areas to discuss in more detail with the service provider, or to identify areas where compensating controls may be needed. These updates were also included in the HECVAT-Lite.

At the 2018 EDUCAUSE Annual Conference, we provided a workshop and presentation in which we went over these updates in more detail.

New Analyst and Summary Reports in HECVAT V2.0

The latest release of the HECVAT introduces two new reports, Analyst and Summary. The Analyst Report provides the tools to assess vendor responses, select standards to make it more relevant to your institution's environment, and quantify subjective vendor responses. The assessment work completed in the Analyst Report feeds into the Summary Report—a scoring matrix presenting a vendor's security state snapshot—that provides a starting point for further security state evaluation. The numerical score provided in the Summary Report is based on the "compliance" of a vendor's answers (i.e., whether the vendor response was concerning or not), not an audit score against an industry standard.

To get these values, six components are calculated for each question—answer requirement, compliant answer, vendor answer, compliance check, weight, and final score. Based on the required value of a question, the vendor's response is compared with the expected compliant value and, if compliant, multiplied by the question weight to get the question score. If the vendor response is not compliant, the score is zero. This calculation is done for each question, and the scores are presented in aggregate, per section. The weighted values are calculated within each section, which prevents smaller and/or lower-risk sections from inappropriately skewing the overall summary score.

The weight for each question was set to one of five risk values: insignificant (10), negligible (15), moderate (20), extensive (25), and significant (40). Because not all questions carry the same risk concerns, the weighting attempts to provide context during evaluation. Weights are compared to aggregate values within each section, ensuring that noncompliant answers to questions with a significant risk concern proportionally affect the section score. For more details of the calculations, review the hidden tabs in the HECVAT spreadsheet, Questions and High Risk Non-Compliant.

Although this scoring system is not perfect, these calculations provide a great starting point for evaluating a vendor's security state. In time, with the assistance of the community, the HEISC Shared Cloud Security Assessments working group will refine these reports and calculations. In similar fashion to the initial HECVAT, the Analyst and Summary Reports in version 2 are published to fill an immediate need, with the intent to improve their functionality based on the ongoing needs of the higher education community.

Phase III Working Group Members

The 2018 accomplishments and changes completed for HECVAT V2.0 would not be possible without the participation of EDUCAUSE, Internet2, and REN-ISAC members. We appreciate the dedication and active engagement of our Phase III volunteers!

• Jon Allen, Baylor University (working group chair)
• Josh Callahan, Humboldt State University
• Charles Escue, Indiana University
• Jeff Hopkins, Purdue University
• Alex Jalso, West Virginia University
• Amanda Sarratore, University of Notre Dame
• Gary Taylor, York University
• Gene Willacker, Michigan State University
• David Zeichick, California State University, Chico
• Susan Coleman, Todd Herring, and Kim Milford, REN-ISAC
• Nick Lewis, Internet2
• Valerie Vogel, EDUCAUSE

Future Plans

The core team met in late 2018 and early 2019 to develop some high-level goals for the next phase. We asked for volunteers and received an overwhelming response from almost 40 people in less than a week from just one email! It shows how interested the community is in this topic. We have goal-specific deliverables that include developing contract language, report templates, more documentation, and a potential "on-prem" version (yes, for a cloud-based questionnaire!). We are also exploring opportunities for partnerships with privacy, accessibility, and other experts to enhance the tool. The working group is also creating an outreach and communications plan for 2019. We'll be reaching out to potential volunteers and scheduling calls in February. Our next updates will be in Chicago at the 2019 Security Professionals Conference during a full-day workshop, Strategies for Streamlining Security Assessments Using the HECVAT, and a one-hour presentation, What the HECVAT! Driving the Winds of Change.

We'd love to hear your feedback and suggestions, so please reach out to the working group at [email protected].

---

Jon Allen is Chief Information Security Officer and Interim Chief Information Officer at Baylor University.

Josh Callahan is Information Security Officer and CTO at Humboldt State University.

Charlie Escue is the Extended Information Security Manager at Indiana University.

Nick Lewis is the Program Manager of Security and Identity at Internet2.

Kim Milford is the Executive Director of REN-ISAC.

Valerie M. Vogel is Interim Director of the Cybersecurity Program at EDUCAUSE.