Profile

Good Morning, We like to let our vendors know where we have findings and give them an opportunity to improve. By creating a feedback loop we can provide someone in their organization the information they need to get resources assigned to improving security. Whether they act on our findings is on them. ...

Good Afternoon, When reviewing the HEXCVAT, CAIQ, SOC2, and other documentation, there isn't anything about the AI component of the vendor solution documented. I am hoping to share thoughts here about follow up questions that we can all use to gain clarity as we evaluate the risk of using vendors. ...

We have a template (attached) that we use and it gets forwarded to the data steward and the requestor. Both the data steward and requestor have to accept any risk that we highlight in order to move forward. We can give a vendor an "F" if there are reasons to do so. I have attached the template. ...

Good afternoon, I have noticed as I reviewed roughly 100 HECVATs in the last few years that vendors do not know the difference among On-prem, Lite, or Full HECVAT uses. I will often see a Full HECVAT used when the On-prem was appropriate. I also see the Full HECVAT used when the Lite would be appropriate. ...