This FAQ covers many of the questions we've encountered since the launch of Isora Lite at EDUCAUSE Security Professionals Conference in May 2019. The questions are organized in the following categories:
It is up to the institution in conversation with vendors to determine whether the vendor would like the HECVAT shared across Isora Lite users. By default, the option to “allow report to be viewed by other users” is checked when creating a new assessment which allows the rest of the community to see the assessment once it is completed.
Can we use this to track/complete our own HECVATs without sharing them with other Isora Lite users?
Yes, you can keep everything private, but we think there’s value in sharing HECVATs with the community for both the institution and the vendor. If you have an NDA with a vendor to complete a HECVAT, you will need to keep the assessment private. Currently the only time to specify sharing settings is when assessment is created.
Can you see that a vendor assessment exists even if it’s not shared?
You won’t be able to see anything about an assessment that is not shared, including that it exists at all. The user from the campus that sponsored it would see it but nobody else.
What if the vendor completes an assessment that is NOT shared by a particular user, and then another user requested a HECVAT from the same vendor?
The vendor would need to complete the assessment again for the new requester. The user who the previously completed the HECVAT cannot change the sharing settings after the fact.
Are there other sharing options such as sharing a HECVAT with specific campus(es) through Isora Lite?
No, the sharing option is either all Isora Lite users or none.
Do all users from a given campus have the same view of Open/Completed assessments?
No, only the user who created the assessment will see it on the Open Assessments tab.
Are completed HECVATs available publicly?
No, only authenticated Isora Lite users can see the completed HECVATs. This includes EDUs primarily, but also state/local government agencies willing to use the HECVAT assessment who are manually provisioned by SaltyCloud.
When does an assessment become completed?
The final step before an assessment is completed is when someone “Acknowledges” the assessment. At this point, the assessment is considered completed and will be available to other institutions in Isora Lite, provided the option to share was checked.
If a vendor gives the requesting institution unsatisfactory answers, can the requesting institution push back on them?
Yes. Up until the assessment is Acknowledged by either the vendor or the requesting institution, the assessment can be modified and the link used by the vendor to access their assessment will still be valid.
Can the vendor or anyone else edit assessment responses/answers after the assessment has been acknowledged?
What if the vendor or requesting institution finds errors in an assessment after it has been acknowledged?
In order to maintain the reliability of data and prevent tampering, we believe it’s best to limit the amount of modification after completion.
When can an updated assessment be submitted for the same vendor/product?
We haven’t locked down a specific time frame that must pass before initiating another one, but it would be at least a couple of months. Three months seems like a reasonable timeframe to provide an updated assessment where changes might have been made. The vendor would need a requesting institution to re-initiate. There is no method whereby a vendor can complete an assessment without an higher ed or government sponsor.
Legacy Versions and Expiration
What if someone has already filled out a HECVAT in spreadsheet format in the last year?
For the sake of incorporating the work that the community has done to date, we will work to get recently completed assessments into the system, but only if those assessment will be shared. The requesting institution would need to confirm with the vendor that the assessment can be shared before providing for upload. Contact SaltyCloud for instructions on incorporating prior HECVATs into Isora Lite.
What if those existing assessments in spreadsheet format are legacy HECVAT versions?
We can import legacy HECVATs; however, some additional questions might need to be completed by the vendor for a completed HECVAT assessment in the current format (2.04).
Do the answers from a previous version for a vendor carry over?
Yes. When a requesting institution relaunches a new version, previous answers are present and changes can be seen by clicking on the icon within an open assessment.
How can you tell when the HECVATs are too old or expired?
They age out and an indicator, , shows up to indicate that this might be a stale assessment.
What is the timeframe for when a HECVAT expires?
Currently, completed HECVATs will have an expiration indicator after 12 months. You can always request one sooner depending on the risk of the vendor or sensitivity of information (but not less than 3 months from the previous assessment).
Have previous assessment included on the Cloud Broker Index (CBI) managed by REN-ISAC been imported?
We are working with REN-ISAC and the HEISC to ensure that this tool meets the spirit of the spreadsheet version of HECVAT but in a more normalized and accessible form. Institutions can choose to use the existing HECVAT assessments on the CBI or become the sponsoring institution to renewing a HECVAT within Isora Lite.
Isora Lite Specifications
What is Isora Lite running on?
Isora Lite runs on AWS, operated by SaltyCloud. See our HECVAT Lite assessment for Isora for more information.
Where was Isora Lite developed?
Just like the full version of Isora GRC, Isora Lite was developed by the Information Security Office of the University of Texas at Austin.
Can we add attachments?
No, but we recognize the need to provide justification and explanation (some of the questions even ask for specific attachments). We’re exploring possibilities for including attachments. Presently, the comments section can be used to provide links to supporting information.
Can you upload an assessment into Isora Lite rather than completing within the tool?
Not at present; however, we will work to incorporate completed assessments into Isora Lite for a limited time to improve the usefulness of the tool. See “What if someone has already filled out a HECVAT in spreadsheet format in the last year?”
Can you export a completed assessment from Isora Lite?
Yes, there is a CSV download button on the Report page. You can also print a PDF of the report from your web browser.
Does Isora Lite have API access?
Because of the nature of authentication in the system, there's not a good control that we would have to expose an API. We don’t envision this being included in Isora Lite although it is presently incorporated into the full version of Isora GRC.
Can we use different frameworks?
Isora Lite is limited to HECVAT, although there are several different question lists provided, depending on the level of detail you are interested in. Users of the full version of Isora GRC have complete control of question set and framework customization.
Is there any opportunity for post-processing assessments on the HECVAT?
No, Isora Lite is intended to simplify the completion and collection of HECVAT assessments.
Can you download a CSV of the completed HECVAT data?
What’s next for Isora Lite?
Similar to our other free-to-EDU tool Dorkbot, our goal was to create a low/no cost tool to help the community gain better access to risk data on vendors. Being part of the community ourselves, we heard that a better way to track vendor risk was necessary and that resulted in Isora Lite. Just as we listened to the community to create Isora Lite, we’ll continue to get feedback from the community to understand how we can improve it.