The HECVAT (Higher Education Community Vendor Assessment Toolkit) is a security assessment framework in the form of a questionnaire that’s specifically designed for higher education institutions to measure vendor risk.
HECVAT attempts to standardize higher education information security and data protection requirements for cloud service providers and third-party solutions, specifically for their consistency, compatibility, and ease of use.
When an educational institution decides to purchase third-party solutions, they usually ask the provider to fill out a HECVAT questionnaire to ensure that all information, data, and cybersecurity requirements are in order.
Whether you’re a vendor hoping to improve their services’ score, or an institution concerned with achieving HECVAT standards, this article will show you how to achieve a good HECVAT score. Read on to learn more about HECVAT compliance and different variations of HECVAT security assessment templates.
Learn more about the scope of HECVAT.
How HECVAT Evaluates Vendors
Much like other vendor risk assessment questionnaires, HECVAT is based on the combined strength of common security control requirements and best practices for vendor risk management.
Vendors must thoroughly answer all of the listed questions. They must provide the relevant data, additional documentation, policies, and evidence (for example, results of security audits), all of which must support their answers. After that, a vendor is then evaluated with a HECVAT score.
For a thorough evaluation, these practices and requirements are also aided by consolidation from multiple sources.
Learn how to comply with HECVAT.
What Is the Minimum Recommended HECVAT Score?
Vendors and third-party solutions are able to achieve a good HECVAT score by going above 90%, with 70% being the bare minimum acceptable HECVAT score.
The institution may highlight the vendor’s answers, and they can also give them more follow-up questions depending on their score, reputation, and other factors. This is a crucial component of performing due diligence by ensuring a vendor’s HECVAT score improves before establishing a partnership.
If you want to learn more about security questionnaires, read our guide on the top questionnaires here.
Speeding up the Assessment Process With the CBI
Many cloud providers like Google have a pre-completed HECVAT questionnaire that can be used by other institutions. The assessment can be found via the Cloud Broker Index (CBI).
The Cloud Broker Index is a list of vendors that have successfully completed the HECVAT evaluation and have consented to publicly share their HECVAT scores.
The CBI saves organizations’ time and effort by enabling security assessors from colleges and universities to easily access this up-to-date list to evaluate their service providers’ security standards.
The CBI’s list is consistently updated, and depending on the template, organizations can use the completed questionnaires to expedite the assessment process.
View the Cloud Broker Index (CBI).
Why is HECVAT Important?
In recent years, higher education sectors have become a target of cybercriminals.
In March 2021, the FBI released an advisory in response to a cluster of PYSA ransomware attacks that targeted education institutions in 12 US states over the last year.
Inside Higher Education also reports that many universities and colleges are becoming frequent targets for bad actors and have suffered IT damages through a third-party cloud storage provider.
Not only that, but even the colleges’ vendors and third-party organizations have been direct targets of cyberattacks that threaten to compromise both the vendors’ and institutions’ sensitive data via vulnerabilities.
With the advanced shift in IT and cybersecurity that protects the institutional data of higher education institutions, it’s important to understand the benefits of HECVAT and how crucial its implementation in these institutions really is.
Many educational institutions like colleges and universities have not yet understood the importance of cybersecurity risks. Their procurement processes are inconsistent, and they’re still managed by outdated IT systems with no coherent security programs, leaving their data centers at risk.
The Main Goals of HECVAT
HECVAT aims to:
- ensure the protection of sensitive data and the PII (Personally Identifiable Information) of constituents;
- ensure that data protection and data management procedures implemented by the vendors are up to standards;
- ensure that the entity has a well-documented Business Continuity Plan (BCP);
- ensure that there’s a Disaster Recovery Plan (DRP) in place;
- reduce costs for cloud services without increasing cybersecurity risk;
- help with reducing the burden that cloud service providers face when responding to requests for security assessment from higher education institutions.
In regard to higher education institutions and their third-party vendors, it provides a starting point for the risk assessment process.
For education institutions, HECVAT has two main benefits:
- Improving security standards: HECVAT offers a very robust solution for security assessment. With a consistent framework like HECVAT, higher education institutions can properly assess their security and privacy standards.
- Saving time: by standardizing risk assessment via HECVAT, schools can have peace of mind and save time when evaluating third-party solutions. Most importantly, it’s very easy to implement, as education service providers are likely already familiar with it.
Why Was HECVAT Created?
Responding to heightened cybersecurity risk, the education sector has recently developed the need to tighten its cybersecurity standards, much like healthcare, finance, and government.
HECVAT, originally the Higher Education Cloud Vendor Assessment Tool, was created in response to the evolving threat landscape surrounding higher education. Since gaining a wider scope outside higher education, HECVAT was renamed the Higher Education Community Vendor Assessment Tool, better reflecting its purpose beyond the cloud.
Trends That Changed the HECVAT’s Purpose
Here are the new trends in cyberspace that shifted the purpose of HECVAT:
- The growing popularity of cloud services, cloud providers, and third-party vendors in universities and colleges;
- The importance of safeguarding sensitive data in education institutions from data breaches and data leaks;
- The importance of protecting PII (Personally Identifiable Information) of higher education constituents;
- Maintaining extraterritorial data protection laws and standards like GDPR, LGPD, PIPEDA, FIPA, and the SHIELD Act.
Who Created HECVAT?
The Higher Education Information Security Council (HEISC) (with the aid of privacy professionals and cybersecurity experts) developed the HECVAT to help colleges and universities deal with the challenge of measuring vendor risk.
They crowdsourced different types of vendor assessments and determined which measures and regulations were most effective for higher education institutions.
Some of the other parties that helped create HECVAT are:
- Shared Assessments Working Group,
- REN-ISAC (Research & Education Networks Information Sharing & Analysis Center)
Read more about why vendor risk management is important.
What are the HECVAT Frameworks?
It’s worth noting that HECVAT was not created from the ground up, as it’s an intricate mesh of cybersecurity frameworks with features that are influenced by various regulations and frameworks, including:
- CIS (Critical Security Controls),
- ISO 27002,
- NIST Cybersecurity Framework,
- NIST 800-171,
- PCI DSS, and more.
Even the structure of SOC reports (specifically, self-disclosure components) has played a crucial role in cementing the final versions of the HECVAT assessment program.
Since HECVAT is connected to various regulations and vendor risk management standards, an organization may already have security controls implemented that are in compliance with a certain HECVAT template.
If you want to find out, you can map your compliance against HECVAT’s list of recommended controls and guidelines in the third tab of the HECVAT Full assessment.
What’s Contained in the HECVAT Toolkit?
The Higher Education Community Vendor Assessment toolkit has a plethora of assessment framework versions, consisting of 22 categories and 265 questions.
The several different versions of HECVAT enable institutions to pick a version that suits their data requirements. All of these third-party risk assessment frameworks are free to use and offer a streamlined, straightforward approach.
Here are the four most common HECVAT frameworks:
1. HECVAT Full Version (Original Version)
The full version of this robust questionnaire covers all of the 22 categories with 265 questions regarding assessing critical data, data sharing, and general information. It also consists of questions regarding guidelines for HIPAA and PCI-DSS.
2. HECVAT Lite
As the name suggests, this is a lightweight version of the standard assessment framework that covers 14 of the 22 categories with a total of 62 possible questions. It’s used for faster and simpler vendor assessments for less-critical data processes, so it doesn’t include the sections for HIPAA, and PCI DSS guidelines, among others.
3. HECVAT On-Premises
This is a unique version for evaluating on-premise software, appliances, and cloud solutions. It covers 11 of the 22 total categories and consists of 55 questions.
4. HECVAT Triage
The HECVAT Triage questionnaire is used as a prerequisite for risk assessment or security assessment requests. It helps higher education institutions to document and summarize data sharing plans, tech requirements, and elements for their prospective vendors, third-party software, or service providers. It’s intended for .edu institutions only, and it’s not to be used by vendors.
Should You Rely Solely on HECVAT?
Though HECVAT is a solid template for vendor risk management and assessing the security and privacy of an organization, it’s definitely not sufficient for maintaining a strong security posture for a company or organization.
HECVAT relies on subjectivity and does not account for potential changes after completing a vendor security assessment questionnaire. Moreover, the questionnaire formatting is such that it eliminates certain questions based on prior answers, so it’s relatively rigid.
In order to maintain a more data-driven, dynamic, and objective assessment of the security posture of your designated vendor, having an accurate security rating is crucial.
Below are other important considerations for assessing your vendors’ security postures.
Data Classification Guidelines
It’s important for vendors to first consult their own data classification guidelines before considering which HECVAT template they’ll use to suit their needs.
According to Carnegie Mellon University’s (CMU) Information Security Office (ISO), a HECVAT template should be used to set up a suitable framework for classifying institutional data depending on their level of value, sensitivity, and criticality to a certain educational institution.
A HECVAT template must be compliant with the University’s Information Security Policy, and institutions must map the data classification guidelines to the template.
Read CMU’s Guidelines for Data Classification.
Security Rating System
A security rating system is an important tool that third-party risk management teams can use for ongoing monitoring and benchmarking of vendors.
Security ratings rely on very objective calculations and observable data that IT experts can always verify. So a security rating system presents a very effective tool with up-to-date info that can greatly aid security assessments and risk management teams.
Many cybersecurity giants strongly recommend security ratings, and they play a major role in security awareness, managing cybersecurity performance, and reporting cybersecurity metrics to their Board of Directors, C-Suite, and shareholders.
Gartner emphasizes the importance of cybersecurity ratings, comparing them to standard credit ratings for organizations when assessing the risk of existing and new business relationships.
Simply put, when companies or organizations are looking into competitors or new business relationships, they can assess their reputation according to their cybersecurity ratings.
Learn how to implement security ratings into your cybersecurity program.