Hey everyone! I'm a System Admin at a higher education institution and we're currently diving into risk assessments for potential vendors, specifically using the HECVAT from Educause. Recently, a department requested a particular software that's popular in education. We asked for a HECVAT, but the vendor filled it out and scored a whopping 0%.
Upon reviewing their answers, I was really concerned. They don't follow a security framework, don't notify us of changes affecting our security, lack compliance with accessibility standards, and have no documented info security policy or incident response plan. Their website looks pretty outdated too, which raises red flags.
I feel a lot of pressure to recommend this software, but I truly can't. The department is pushing back, claiming there's no alternative software available. They made comments like "I guess we aren't having Marching Band next year!" I'm holding my ground, but I'm wondering how to handle this kind of situation. If the administration decides to proceed despite my concerns, what can I do to mitigate risks if we have to use this software? I really dislike the political side of this office—any advice would be super helpful!
2 Answers
The landscape in higher education regarding these assessments is tightening up. It's worth exploring how and why the HECVAT was adopted at your institution. Ensure there's a formal framework in place and, ideally, a dedicated security team to back you up. If adjacent departments aren't on board, it can feel like you're fighting this battle alone.
It's crucial to have a policy in place for when a supplier fails the risk assessment. You should make sure your cybersecurity policy covers what to do next. If none exists, it’s high time to create one. You might also reach out to similar institutions to see how they handle this situation; sharing insights might give you more ground to stand on.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures