What is HECVAT (Higher Education Community Vendor Assessment Toolkit)?

What is HECVAT (Higher Education Community Vendor Assessment Toolkit)?

Abi Tyas Tunggal
Abi Tyas Tunggal
updated Oct 18, 2021

The Higher Education Community Vendor Assessment Tool (HECVAT) is a security assessment template that attempts to generalize higher education information security and data protection questions and issues regarding cloud services for consistency and ease of use. 

HECVAT has various versions that are free to use and provide a consistent, streamlined third-party risk assessment framework:

  • Original version: 265 questions including qualifying questions for HIPAA and PCI-DSS opt-in
  • Lightweight version: A lightweight questionnaire used to expedite the process
  • On-premise: A unique questionnaire used to evaluate on-premise applications and software

Like many vendor risk assessment templates, HECVAT is a combination of vendor risk management best practices and common security control requirements from multiple sources.  

If you want to learn more about security questionnaires, read our guide on the top questionnaires here.

Why Was the HECVAT Created?

In cybersecurity, there are a few industries that are always part of the conversation. Namely healthcare, finance, government, and recently higher education. 

The creation of the Higher Education Cloud Vendor Assessment Tool (HECVAT), which has now been renamed to the Higher Education Community Vendor Assessment Tool (HECVAT) to better reflect its intended use beyond the cloud, was driven by the following trends:

HECVAT was created by the Higher Education Information Security Council (HEISC) Shared Assessments Working Group, in collaboration with Internet2 and REN-ISAC by crowdsourcing various vendor assessments and analyzing which regulations worked best for different higher education situations.

What are the Benefits of Using HECVAT?

HECVAT allows higher education security teams to operate more efficiently, by helping ensure that cloud services are appropriately assessed for security and privacy needs, including those unique to higher education institutions. 

HECVAT aims to reduce costs through cloud services without increasing cybersecurity risk, while reducing the burden cloud service providers face when responding to security assessment requests from higher education institutions. 

A number of cloud providers such as Google have already completed the HECVAT questionnaire and provide their assessments on the Cloud Broker Index (CBI). 

The CBI provides an up-to-date list of vendors who have willingly shared their complete HECVAT, allowing security assessors at colleges and universities to use the posted assessment, saving both sides time. 

Why is HECVAT Important?

HECVAT is important because higher education institutions are heavily reliant on outsourcing and on-sourcing, introducing potential vendor risk.

Higher education is outsourcing more because good vendors provide benefits including:

  • Specialization: Many products or services are so specialized that outsourcing to a dedicated company will provide better performance and a lower level of risk than performing the function in-house, e.g. accounting, appraisal management, internal audit, human resources, sales and marketing, loan review, asset and wealth management, procurement or loan servicing.
  • Cost savings: Many vendors benefit from economies of scale and are able to offer a good or service at a lower cost than you would be able to internally. 

As a security questionnaire, HECVAT forms an important part of a robust vendor risk management (VRM) program.  

Read more about why vendor risk management is important

Who Uses HECVAT?

The intended audiences for HECVAT are colleges, universities, and the third-party service providers they contract to. According to EDUCAUSE, dozens of leading organizations have adopted HECVAT to measure the potential risks to their university, campus, and student body from third and fourth-parties including:

  • American University
  • Appalachian State University
  • Art Institute of Chicago
  • Bates College
  • Baylor University
  • Berry College
  • Black Hills State University
  • Boston College
  • Bowling Green State University
  • Brown University
  • California Baptist University
  • California State University, all Campuses and System
  • Carnegie Mellon University
  • Carthage College
  • Champlain College
  • Clarkson University
  • Columbus State Community College
  • Cornell University
  • Davidson College
  • Denison University
  • DeSales University
  • Drake University
  • Drexel University
  • Duquesne University
  • East Carolina University
  • Ferris State University
  • Foothill-De Anza Community College District
  • Franklin & Marshall College
  • Gallaudet University
  • Georgia Institute of Technology
  • Hillsborough Community College
  • Indiana University
  • Indiana Wesleyan University
  • Institute for Advanced Study
  • John Carroll University
  • Kent State University
  • LeTourneau University
  • Linfield College
  • Longwood University
  • Madison College
  • Methodist University
  • Miami University
  • Montclair State University
  • Montgomery College
  • Morgan State University
  • Northern Arizona University
  • Oakland University
  • Ohio Northern University
  • Oregon State University
  • Pace University
  • Pacific University
  • Pepperdine University
  • Princeton University
  • Radford University
  • Rice University
  • Rowan University
  • Rutgers University
  • Sam Houston State University
  • Southern Alberta Institute of Technology
  • Springfield College
  • Stony Brook University
  • Suffolk County Community College
  • Susquehanna University
  • Tennessee Tech University
  • Texas State University
  • Troy University
  • Truman State University
  • University of California, Davis
  • University of Delaware
  • University of Denver
  • University of Idaho
  • University of Maine System
  • University of Maryland Baltimore
  • University of Massachusetts Amherst
  • University of Oregon
  • University of Portland
  • University of Rhode Island
  • University of Richmond
  • University of Tennessee, Knoxville
  • University of Texas at Austin
  • Virginia Tech
  • West Texas A&M University
  • West Virginia University
  • Western Carolina University
  • Western Michigan University
  • William & Mary
  • Williams College
  • Yavapai College

What is in the HECVAT Toolkit?

The Higher Education Community Vendor Assessment toolkit includes:

Should I Rely Solely on HECVAT?

While HECVAT is a great security assessment template. It's doesn't form a complete vendor risk management program.  

HECVAT is a point-in-time assessment that is static and subjective. It doesn't account for the changes that can occur after you receive the complete security assessment from a vendor. 

This is why security ratings are importantSecurity ratings are a data-driven, objective, and dynamic measure of a vendor's security posture

They are commonly used by third-party risk management teams to continuously monitor and benchmark vendors.

Security ratings are calculated based on objective, externally observable, continuously available and verifiable information. This means that they are always up-to-date and a great complement to traditional security assessments. 

According to Gartnercybersecurity ratings will become as important as credit ratings when assessing the risk of existing and new business relationships…these services will become a precondition for business relationships and part of the standard of due care for providers and procurers of services. Additionally, the services will have expanded their scope to assess other areas, such as cyber insurance, due diligence for M&A and even as a raw metric for internal security programs.

Additionally, many security leaders find security ratings an invaluable part of increasing security awareness, managing cybersecurity performance, and reporting cybersecurity metrics to their Board of Directors, C-Suite and even shareholders.  

How UpGuard Can Improve Your Vendor Risk Management Program

Companies like Intercontinental ExchangeTaylor FryThe New York Stock Exchange, IAG, First State Super, Akamai, Morningstar, and NASA use UpGuard's security ratings to protect their data, prevent data breaches and assess their security posture.

UpGuard Vendor Risk can minimize the amount of time your organization spends assessing related and third-party information security controls by automating vendor questionnaires and providing vendor questionnaire templates.

We can help you continuously monitor your vendors' external security controls and provide an unbiased security rating. 

We base our ratings on the analysis of 70+ vectors including:

We can also help you instantly benchmark your current and potential vendors against their industry, so you can see how they stack up.

For the assessment of your information security controls, UpGuard BreachSight can monitor your organization for 70+ security controls providing a simple, easy-to-understand cyber security rating and automatically detect leaked credentials and data exposures in S3 buckets, Rsync servers, GitHub repos and more.

The major difference between UpGuard and other security ratings vendors is that there is very public evidence of our expertise in preventing data breaches and data leaks

Our expertise has been featured in the likes of The New York TimesThe Wall Street JournalBloombergThe Washington PostForbesReuters, and TechCrunch.

You can read more about what our customers are saying on Gartner reviews.

If you'd like to see your organization's security rating, click here to request your free Cyber Security Rating.

Book a demo of the UpGuard platform today.


UpGuard logo in white
UpGuard free resources available for download
Learn more

Download our free ebooks and whitepapers

Insights on cybersecurity and vendor risk management.
UpGuard logo in white
eBooks, Reports & Whitepapers
UpGuard free resources available for download
UpGuard customer support teamUpGuard customer support teamUpGuard customer support team

See UpGuard In Action

Book a free, personalized onboarding call with one of our cybersecurity experts.
Abstract shapeAbstract shape

Related posts

Learn more about the latest issues in cybersecurity.
Deliver icon

Sign up to our newsletter

Get the latest curated cybersecurity news, breaches, events and updates in your inbox every week.
Abstract shapeAbstract shape
Free instant security score

How secure is your organization?

Request a free cybersecurity report to discover key risks on your website, email, network, and brand.
  • Check icon
    Instant insights you can act on immediately
  • Check icon
    Hundreds of risk factors including email security, SSL, DNS health, open ports and common vulnerabilities
Website Security scan resultsWebsite Security scan ratingAbstract shape