HECVAT Lite.

[Carreau]

Received on the security mailing list:

We are in the process of vetting software for purchase and we are wondering if you are able to provide a Higher Education Community Vendor Assessment Toolkit (HECVAT) for our

documentation and decision making process.  I have attached a copy of the assessment to this email, if you have any questions please let me know

HECVAT-Lite.xlsx

I'm not sure if the Jupyter organisation qualifies as a vendor and can provide that. If anybody has experience with that, maybe Trusted CI ?

[rcthomas]

I think so on the Trusted CI question, maybe @kayavila can help?

https://blog.trustedci.org/2021/08/osc-begins-engagement.html https://library.educause.edu/resources/2020/4/higher-education-community-vendor-assessment-toolkit

[rpwagner]

HECVAT was developed by a few groups, including EDUCAUSE and Internet2, and I have some idea of its goals. I think @Carreau is right, Project Jupyter is not a vendor, so it's probably not the right group to submit an assessment. Other entities, like Anaconda or 2i2c would be more appropriate.

In the longer term, HECVAT is a good example of what topics enterprise users prioritize and we can define some of the Project Jupyter security documentation based on the assessment, even if it's just to explicitly describe what Project Jupyter tries to manage.

[Carreau]

I got the same response from what @rpwagner is saying from internal Quansight questions. And looking at the questions in the XLS, there is about only 20% if not less that apply to jupyter as an organisation, numfocus could fill a bit more, but it's true that 2i2c / anaconda/ another vendor might be better suited for this specific request right now.

I'll respond and also mention that we are engaging with https://www.trustedci.org/

[Carreau]

Closing as I had no feedback on my response to the person that asked.

[djclarkson]

You (or others with similar challenges) can reach out to us at https://www.hecvatpro.com