Skip to Content.
Sympa Menu

devel - Re: [devel@sympa] SYmpa - Security Documentation Request

Subject: Developers of Sympa

List archive

Chronological Thread  
  • From: IKEDA Soji <address@concealed>
  • To: "Jackson, D'Ann" <address@concealed>
  • Cc: "address@concealed" <address@concealed>
  • Subject: Re: [devel@sympa] SYmpa - Security Documentation Request
  • Date: Mon, 19 May 2025 20:32:23 +0900

Hi Jackson,

> 2025/05/17 4:25、Jackson, D'Ann <address@concealed>のメール:
>
> Hello,
>
> I do realize the Sympa is open-source. I still wanted to reach out to ask
> if there is any security documentation that can be provided for Sympa.
> I am emailing to request security documentation for our state-required risk
> assessment of Sympa, Since we are a public university, we must follow Texas
> regulations, ensuring your company has adequate security controls in place.
> I am requesting that your organization complete the attached Higher
> Education Community Vendor Assessment Tool (HECVAT) and provide security
> documentation that shows you have the necessary security controls
> implemented to ensure our system will remain protected. More information on
> the HECVAT can be found at
> https://library.educause.edu/resources/2020/4/higher-education-community-vendor-assessment-toolkit.
> I appreciate your assistance.
> In lieu of completing the HECVAT, any certification report such as a SOC 2
> Type 2 or ISO 27001 from a third-party auditor will suffice. Also, Texas
> Government Code requires that I verify you are conducting vulnerability
> scans and penetration tests prior to us using your service so any type of
> high-level executive summary you may provide is appreciated.
> SA-9 External Information System Services - The state organization
> requires that providers of external information system services employ
> adequate
> security controls in accordance with these standards and monitors security
> control compliance.
> Sec. 2054.516. DATA SECURITY PLAN FOR ONLINE AND MOBILE APPLICATIONS.
> (a) Each state agency implementing an Internet website or mobile
> application that processes any sensitive personal or personally
> identifiable information or confidential information must … subject the
> website or application to a vulnerability and penetration test and address
> any vulnerability identified in the test.
>

We are a free / libre / open source software project and provide free access
to the source code. We are not providing services using Sympa to anyone
outside of our community.

If any external organization(s) provide the mailing list system services to
your university using Sympa or any other software, please ask them to fill
out the form.

If your university is providing the mailing list system services by your own,
please follow the appropriate provisions of your state regulations.


>
> Please let me know if you have any questions. And, thank you in advance for
> any security documentation you can provide.
>
> Best Regards,
>

Best regards,

— Soji


>
> D’ANN JACKSON
> Senior Information Security Analyst
> I.T. Solutions
> P: 940-898-3262
> Service Desk: 940-898-3971 | address@concealed
> This message contains information which may be confidential and privileged.
> Unless you are the addressee (or authorized to receive for the addressee),
> you may not use, copy or disclose to anyone the message or any information
> contained in the message. If you have received the message in error, please
> advise the sender by reply e-mail and delete the message.

Attachment: hecvat306 (1).xlsx
Description: MS-Excel 2007 spreadsheet






Archive powered by MHonArc 2.6.19+.

Top of Page