Profile

CommunityPlatform_1350x900.jpg

Wendy Epley

Edit My Profile

My Content

1 to 11 of 11 total

RE: December meeting poll

Posted By Wendy Epley 11-20-2023 07:04:32 PM
Found In Egroup: HEISC 800-171 Compliance \ view thread
sorry for the late reply... been on PTO. I can meet in December for the impromptu SSP discussion/working group, but also happy to see folks in 2024. Kind regards, ------------------------------ Wendy Epley Principal Analyst, Information Security The University of Arizona wepley@arizona.edu ---- ...

RE: Quick Poll: Data Classification

Posted By Wendy Epley 11-20-2023 11:55:51 AM
Found In Egroup: HEISC 800-171 Compliance \ view thread
Hi Nathan, UArizona follows the guidance in NIST SP 800-53 (RA-02) and NIST SP 800-60 for its data classification/impact schema. We use 3 classifications that applies to all University Information and Resources: Public, Internal, and Restricted. I think the only thing that would cause us to re-evaluate ...

RE: How do your institutions handle HECVAT's that seem to contradict SOC2 or official contracts?

Posted By Wendy Epley 11-03-2023 11:55:20 AM
Found In Egroup: HECVAT Users \ view thread
Hi Mike, In my humble opinion, the HECVAT should serve as an aid to Vendor Risk Management. It is not a legally binding document. Sometimes the HECVAT is filled out by sales people, other times it's leadership - there really is not any consistency in who within the vendor's organization complete's ...

New Meeting Time/Link

Posted By Wendy Epley 09-20-2023 10:12:00 AM
Found In Egroup: HEISC 800-171 Compliance \ view thread
Hi everyone, For those who attended yesterday's meeting and noted the text in the Library resource had the incorrect day for our meetings; that has now been corrected. The HEISC 800-171 Compliance monthly meeting invite and details can be found on the Community's "Library" tab. There is also a calendar ...

RE: GRC Tools

Posted By Wendy Epley 09-19-2023 02:00:16 PM
Found In Egroup: HEISC 800-171 Compliance \ view thread
Hi Michael, UArizona explored many third-party solutions, including ISORA, but none of them could provide us with the tools we wanted and needed. So we built our own! The tool was developed in 2018 by our then Director of Information Security and Deputy CISO. The tool has been refined and evolved over ...

RE: Multifunctuion device support of NIST SP 800-171 and NIST SP 800-172

Posted By Wendy Epley 09-17-2023 02:12:00 PM
Found In Egroup: Cybersecurity \ view thread
Hi Aaron, You need to consider if those printing devices are in-scope assets or not. Look at the CMMC Level 2 Scoping Guide for how to scope your assets in applying NIST SP 800-171. The documentation can be found at - https://dodcio.defense.gov/CMMC/Documentation/ For NIST SP 800-172, these are more ...

RE: IT Risk Management software

Posted By Wendy Epley 08-23-2023 09:19:30 AM
Found In Egroup: Cybersecurity \ view thread
The University of Arizona explored SaltyCloud's ISORA in 2018... as we started using it we discovered that it really did not fit our needs and we did not renew the contract after 1 year. ------------------------------ Wendy Epley Principal Analyst, Information Security The University of Arizona - ...

RE: IT Risk Management software

Posted By Wendy Epley 08-23-2023 09:13:49 AM
Found In Egroup: Cybersecurity \ view thread
Hi Rusty, The University of Arizona moved away from the death-by-spreadsheet approach in 2018 and developed a software program that evolved our risk management program to a federated risk management strategy. By involving the people (IT and non-IT) from across the organization, we are able to gain ...

RE: Assuming risk form when no HECVAT/Soc2 available?

Posted By Wendy Epley 07-20-2023 10:03:23 AM
Found In Egroup: HECVAT Users \ view thread
At UArizona, using the HECVAT or reviewing a SOC2 Type II is not a requirement, but are encouraged to assess a vendor's security posture through the vendor management lifecycle. Units cannot accept a contract that allows for falling out of compliance with University policy. Where the vendor lacks sufficient ...

UArizona & SibylSoft Story slides

Posted By Wendy Epley 07-18-2023 10:00:00 AM
Found In Egroup: HEISC 800-171 Compliance \ view thread
Thank you to all who could attend today's meeting and hear the story of UASecure at the University of Arizona and how Sibylity transformed how the University manages information security and risk. As you may be aware, HEISC meetings are not recorded, so there is no video of the presentation but attached ...

UArizona & SibylSoft Story slides

Posted By Wendy Epley 07-18-2023 09:59:47 AM
Found In Library: HEISC 800-171 Compliance