The Higher Education Community Vendor Assessment Tool (HECVAT) is a security assessment template that attempts to generalize higher education information security and data protection questions and issues regarding cloud services for consistency and ease of use.
HECVAT has various versions that are free to use and provide a consistent, streamlined third-party risk assessment framework:
- Original version: 265 questions including qualifying questions for HIPAA and PCI-DSS opt-in
- Lightweight version: A lightweight questionnaire used to expedite the process
- On-premise: A unique questionnaire used to evaluate on-premise applications and software
If you want to learn more about security questionnaires, read our guide on the top questionnaires here.
Why was the HECVAT created?
In cybersecurity, there are a few industries that are always part of the conversation. Namely healthcare, finance, government, and recently higher education.
The creation of the Higher Education Cloud Vendor Assessment Tool (HECVAT), which has now been renamed to the Higher Education Community Vendor Assessment Tool (HECVAT) to better reflect its intended use beyond the cloud, was driven by the following trends:
- The increasing number of third-party vendors the average university or college uses
- The need to protect the PII of constituents due to the increasing number of extraterritorial data protection laws such as PIPEDA, GDPR, LGPD, the SHIELD Act, and FIPA
- The need to protect institutional information and sensitive data
- The increasing size and frequency of first, third, and fourth-party data breaches and data leaks
- The growth in cloud services and cloud providers
HECVAT was created by the Higher Education Information Security Council (HEISC) Shared Assessments Working Group, in collaboration with Internet2 and REN-ISAC by crowdsourcing various vendor assessments and analyzing which regulations worked best for different higher education situations.
What are the benefits of using HECVAT?
HECVAT allows higher education security teams to operate more efficiently, by helping ensure that cloud services are appropriately assessed for security and privacy needs, including those unique to higher education institutions.
HECVAT aims to reduce costs through cloud services without increasing cybersecurity risk, while reducing the burden cloud service providers face when responding to security assessment requests from higher education institutions.
A number of cloud providers such as Google have already completed the HECVAT questionnaire and provide their assessments on the Cloud Broker Index (CBI).
The CBI provides an up-to-date list of vendors who have willingly shared their complete HECVAT, allowing security assessors at colleges and universities to use the posted assessment, saving both sides time.
Why is HECVAT important?
HECVAT is important because higher education institutions are heavily reliant on outsourcing and on-sourcing, introducing potential vendor risk.
Higher education is outsourcing more because good vendors provide benefits including:
- Specialization: Many products or services are so specialized that outsourcing to a dedicated company will provide better performance and a lower level of risk than performing the function in-house, e.g. accounting, appraisal management, internal audit, human resources, sales and marketing, loan review, asset and wealth management, procurement or loan servicing.
- Cost savings: Many vendors benefit from economies of scale and are able to offer a good or service at a lower cost than you would be able to internally.
As a security questionnaire, HECVAT forms an important part of a robust vendor risk management (VRM) program.
Who uses HECVAT?
The intended audiences for HECVAT are colleges, universities, and the third-party service providers they contract to. According to EDUCAUSE, dozens of leading organizations have adopted HECVAT to measure the potential risks to their university, campus, and student body from third and fourth-parties including:
- American University
- Appalachian State University
- Art Institute of Chicago
- Bates College
- Baylor University
- Berry College
- Black Hills State University
- Boston College
- Bowling Green State University
- Brown University
- California Baptist University
- California State University, all Campuses and System
- Carnegie Mellon University
- Carthage College
- Champlain College
- Clarkson University
- Columbus State Community College
- Cornell University
- Davidson College
- Denison University
- DeSales University
- Drake University
- Drexel University
- Duquesne University
- East Carolina University
- Ferris State University
- Foothill-De Anza Community College District
- Franklin & Marshall College
- Gallaudet University
- Georgia Institute of Technology
- Hillsborough Community College
- Indiana University
- Indiana Wesleyan University
- Institute for Advanced Study
- John Carroll University
- Kent State University
- LeTourneau University
- Linfield College
- Longwood University
- Madison College
- Methodist University
- Miami University
- Montclair State University
- Montgomery College
- Morgan State University
- Northern Arizona University
- Oakland University
- Ohio Northern University
- Oregon State University
- Pace University
- Pacific University
- Pepperdine University
- Princeton University
- Radford University
- Rice University
- Rowan University
- Rutgers University
- Sam Houston State University
- Southern Alberta Institute of Technology
- Springfield College
- Stony Brook University
- Suffolk County Community College
- Susquehanna University
- Tennessee Tech University
- Texas State University
- Troy University
- Truman State University
- University of California, Davis
- University of Delaware
- University of Denver
- University of Idaho
- University of Maine System
- University of Maryland Baltimore
- University of Massachusetts Amherst
- University of Oregon
- University of Portland
- University of Rhode Island
- University of Richmond
- University of Tennessee, Knoxville
- University of Texas at Austin
- Virginia Tech
- West Texas A&M University
- West Virginia University
- Western Carolina University
- Western Michigan University
- William & Mary
- Williams College
- Yavapai College
What is in the HECVAT toolkit?
The Higher Education Community Vendor Assessment toolkit includes:
Should I rely solely on HECVAT?
While HECVAT is a great security assessment template. It's doesn't form a complete vendor risk management program.
HECVAT is a point-in-time assessment that is static and subjective. It doesn't account for the changes that can occur after you receive the complete security assessment from a vendor.
Security ratings are calculated based on objective, externally observable, continuously available and verifiable information. This means that they are always up-to-date and a great complement to traditional security assessments.
According to Gartner, cybersecurity ratings will become as important as credit ratings when assessing the risk of existing and new business relationships…these services will become a precondition for business relationships and part of the standard of due care for providers and procurers of services. Additionally, the services will have expanded their scope to assess other areas, such as cyber insurance, due diligence for M&A and even as a raw metric for internal security programs.
Additionally, many security leaders find security ratings an invaluable part of increasing security awareness, managing cybersecurity performance, and reporting cybersecurity metrics to their Board of Directors, C-Suite and even shareholders.
How UpGuard can improve your vendor risk management program
Companies like Intercontinental Exchange, Taylor Fry, The New York Stock Exchange, IAG, First State Super, Akamai, Morningstar, and NASA use UpGuard's security ratings to protect their data, prevent data breaches and assess their security posture.
UpGuard Vendor Risk can minimize the amount of time your organization spends assessing related and third-party information security controls by automating vendor questionnaires and providing vendor questionnaire templates.
We can help you continuously monitor your vendors' external security controls and provide an unbiased security rating.
We base our ratings on the analysis of 70+ vectors including:
- Susceptibility to man-in-the-middle attacks
- Insecure SSL/TLS certificates
- SPF, DKIM and DMARC settings
- HTTP Strict Transport Security (HSTS)
- Email spoofing and phishing risk
- Malware susceptibility
- Unnecessary open administration, database, app, email and file sharing ports
- Exposure to known data breaches and data leaks
- Vulnerable software
- HTTP accessibility
- Secure cookie configuration
- Results of intelligent security questionnaires
We can also help you instantly benchmark your current and potential vendors against their industry, so you can see how they stack up.
For the assessment of your information security controls, UpGuard BreachSight can monitor your organization for 70+ security controls providing a simple, easy-to-understand cyber security rating and automatically detect leaked credentials and data exposures in S3 buckets, Rsync servers, GitHub repos and more.
You can read more about what our customers are saying on Gartner reviews.
If you'd like to see your organization's security rating, click here to request your free Cyber Security Rating.