Eighteen months ago, Jon Allen, the chief information security officer at Baylor University in Texas, came to a couple of realizations around the way his team could be more efficient.
The first was that a full 30 percent of his team’s time was spent performing IT security reviews of new or potential software for his school. Last year alone, Baylor completed around 70 such reviews, many of which required extensive back-and-forth communication between his team and vendors. Among the questions needing definitive answers: Did the software fully meet FERPA guidelines? To what extent did it share data with third-party companies? And exactly how will it keep that data secure?
What bothered Allen most was how often he found himself translating email responses from sales reps who were the middlemen or gatekeepers between his own department and the software developers that he really wanted to talk to.
The second realization was bigger: By and large, security reviews like the ones Baylor conducts don’t look much different from the ones taking place at higher ed institutions and schools across the country. With the higher ed community already sharing so much information on other topics, he wondered, why was nobody talking or sharing anything about the way they conducted their security reviews or how they processed the responses?
“One of the unique things about higher ed is that unlike other verticals there’s already significant sharing taking place,” said Allen. “There’s always sharing and collaboration going on, and frankly I think vendors need to realize that’s taking place.”
From idea to movement
Allen has spent his entire academic and professional career at Baylor, from an undergraduate degree in political science to his present role as assistant vice president and CISO. But during that time he’s been an active member of the higher ed security community, presenting at conferences and serving on committees and working groups for organizations like EDUCAUSE, REN-ISAC and Internet2.
Allen first proposed the idea of crowdsourcing security reviews at an EDUCAUSE conference more than a year ago along with Nick Lewis, the program manager for the NET+ program at Internet2. The response convinced Allen and Lewis they were on to something. Enthusiastic attendees contacted him by the dozens to see how they could help.
Before long a working group was formed with members representing every type of institution from small public community colleges, to large state systems, and even big names like Cornell and Carnegie Mellon.
“I kind of threw this out there as one of those things where you never know how it’s going to land,” said Allen. He soon became the natural choice to head the working group and the movement as a whole. “I’ve never seen something where all of a sudden I had so many people wanting to participate in the effort,” he said.
Campuses generally perform security reviews for any piece of software that touches or uses data in some way. Naturally, student information systems and those dealing with student financial records must be extensively vetted, along with instructional software that requires student registration.
However, IT departments also spend a substantial amount of time checking out things that might not seem so obvious, such as applications that analyze student athlete performance and those used exclusively among research faculty.
When the working group got started, it invited Internet2, EDUCAUSE, and REN-ISAC to join in and contribute feedback as well. The group began with the goal of standardizing a set of core risk assessment questions that every school should ask. They then looked at Internet2’s NET+ program, which performs extensive peer-reviewed assessments of cloud services, as well as the existing slate of cloud vulnerability security assessment tools. Not finding anything that met their needs, they decided to create one of their own.
That effort eventually became the Higher Education Cloud Vendor Assessment Tool (HECVAT for short), a 250-plus question document that covers security questions on all types of software that touches student data — everything from compliance with ISO standards, to cybersecurity protocols, to the vendor’s business continuity plan and the locations where data is physically stored.
“The HECVAT is much more lightweight than what we’ve been doing, and ours doesn’t scale,” says Lewis of Internet2’s ultra-rigorous NET+ program. “I don’t think Jon is unique in higher ed information security in not having enough resources to address everything that he thinks is appropriate. By sharing the workload across the community, we can benefit each other.”
The NDA factor
Though the project is still in nascent stages, Allen’s goal is that schools will begin using the HECVAT as part of their security assessments. The hope is that any given vendor will need to complete only a single HECVAT form, providing official answers as a company effort to the best of its ability.
After the mammoth document was completed and passed around, the feedback began to trickle its way back to the working group. One snag is that some vendors require schools to sign a nondisclosure agreements (NDA) before releasing details. “Anytime someone has to sign an NDA, it adds a lot of overhead,” said Lewis. But the group is already discussing how to phrase questions and convince vendors to release as much information as they can without an NDA.
Another concern was that the HECVAT, though exhaustive, was almost too big considering the fact that not all security vetting looks the same.
For software that doesn’t require access to sensitive information, the dive isn’t typically so deep. In recognition of that, Allen’s working group devised a condensed, stripped-down 50-question version, called the HECVAT Lite.
So far, only a few schools have received completed HECVAT forms of either variety from vendors. Allen currently has two in process and hopes that as more assessments come in, the completed forms can be stored in an online repository, available to qualifying schools who can use it as a time-saving part of their risk assessment procedures.
Of course the elephant in the room is whether vendors will want these shared in the first place. The handful of vendors that have worked on HECVATs have done so as part of individual security reviews, and conversations around sharing have mostly been informal and hypothetical, according to Allen. There are currently no vendors serving on the working group, he said.
But Allen is optimistic that vendors will eventually come around to the idea, especially as more schools signal interest in the project. He’s also counting on help from EDUCAUSE and Internet2 to leverage their existing relationships with vendors.
Both organizations have been big champions of the effort, in part because they see value for both groups. Schools and vendors already spend a lot of time on these assessments, making any efficiencies especially appealing, explains Joanna Grama, the director of cybersecurity and IT governance, risk, and compliance programs at EDUCAUSE.
“Higher education institutions could use a tool for initial assessments that meets most of their assessment needs (without having to create new tools), and vendors could become familiar with a tool and not have to complete multiple different assessments to conduct business in the higher education space,” she said.
If successful, the effort could also give schools more say in how security issues are handled, and how seriously higher ed concerns are taken, among the software providers they rely on every day.
“If you’re a small liberal arts school, I know you have zero leverage with vendors,” said Allen. “But as a result of you partnering with all the other institutions involved in the HECVAT, all of a sudden you now have more power and more leverage in that relationship and that conversation than you ever would have had before.”
“It’s empowering higher ed to get the security requirements that we need as a coalition, as well as providing the vendors a better way of doing business than we’ve been doing these last few years.”