The Higher Education Community Vendor Assessment Tool (HECVAT) is a security assessment template that attempts to generalize higher education information security and data protection questions and issues regarding cloud services for consistency and ease of use. 

HECVAT has three free versions mapping to popular cybersecurity frameworks, including ISO 27002, NIST CSF, NIST 800-171, and PCI DSS.

  • Original version: 265 questions, including qualifying questions for HIPAA and PCI-DSS opt-in
  • Lightweight version: A lightweight questionnaire used to expedite the process
  • On-premise: A unique questionnaire used to evaluate on-premise applications and software

Like many vendor risk assessment templates, HECVAT combines vendor risk management best practices and common security control requirements for reducing third-party risks.

Track HECVAT compliance with this free checklist >

Why Was the HECVAT Created?

The creation of the Higher Education Cloud Vendor Assessment Tool (HECVAT), which has now been renamed to the Higher Education Community Vendor Assessment Tool (HECVAT) to reflect its intended use beyond the cloud better, was driven by the following trends:

  • The increasing number of third-party vendors the average university or college uses
  • The need to protect the PII of constituents due to the increasing number of extraterritorial data protection laws such as PIPEDA, GDPR, LGPD, the SHIELD Act, and FIPA
  • The increasing trend of data breaches caused by insecure procurement processes.
  • The need to protect institutional information and sensitive data
  • The increasing size and frequency of first, third, and fourth-party data breaches and data leaks
  • The growth in cloud services and cloud providers 

HECVAT was created by the Higher Education Information Security Council (HEISC) Shared Assessments Working Group in collaboration with Internet2 and REN-ISAC by crowdsourcing various vendor assessments and analyzing which regulations worked best for different higher ed situations.

What are the Benefits of Using HECVAT?

HECVAT allows higher education security teams to operate more efficiently, by helping ensure that cloud services are appropriately assessed for security and privacy needs, including those unique to higher education institutions. 

HECVAT aims to reduce costs through cloud services without increasing cybersecurity risk while reducing the burden cloud service providers face when responding to security assessment requests from higher education institutions. 

Several cloud providers, such as Google, have completed the HECVAT questionnaire and provided their HECVAT assessments on the Cloud Broker Index (CBI). 

The CBI provides an up-to-date list of vendors who have willingly shared their complete HECVAT, allowing security assessors at colleges and universities to use the posted assessment, saving both sides time. 

Learn how to comply with HECVAT.

From a vendor’s perspective, preemptively demonstrating HECVAT compliance to prospects could significantly speed up the sales cycle since SaaS products often require IT and procurement approval.

These completed assessments - and any other relevant security documentation - can be uploaded to a Shared Profile on the UpGuard platform so that they can be conveniently shared with prospects.

Shared Profile by UpGuard
Shared Profile by UpGuard. Click here for a free trial.

Why is HECVAT Important?

HECVAT is important because higher education institutions rely heavily on outsourcing and on-sourcing, introducing potential vendor risk.

Higher education is outsourcing more because good vendors provide benefits, including:

  • Specialization: Many products or services are so specialized that outsourcing to a dedicated company will provide better performance and a lower level of risk than performing the function in-house, e.g., accounting, appraisal management, internal audit, human resources, sales and marketing, loan review, asset and wealth management, procurement or loan servicing.
  • Cost savings: Many vendors offer goods or services at a lower cost than if they were processed internally. 

As a security questionnaire, HECVAT forms an important part of a robust vendor risk management (VRM) program.  

Learn why vendor risk management is important >

Who Uses HECVAT?

The intended audiences for HECVAT are colleges, universities, and the third-party service providers they contract to. According to EDUCAUSE, dozens of leading organizations have adopted HECVAT to measure the potential risks to their university, campus, and student body from third and fourth parties, including:

  • American University
  • Appalachian State University
  • Art Institute of Chicago
  • Bates College
  • Baylor University
  • Berry College
  • Black Hills State University
  • Boston College
  • Bowling Green State University
  • Brown University
  • California Baptist University
  • California State University, all Campuses, and System
  • Carnegie Mellon University
  • Carthage College
  • Champlain College
  • Clarkson University
  • Columbus State Community College
  • Cornell University
  • Davidson College
  • Denison University
  • DeSales University
  • Drake University
  • Drexel University
  • Duquesne University
  • East Carolina University
  • Ferris State University
  • Foothill-De Anza Community College District
  • Franklin & Marshall College
  • Gallaudet University
  • Georgia Institute of Technology
  • Hillsborough Community College
  • Indiana University
  • Indiana Wesleyan University
  • Institute for Advanced Study
  • John Carroll University
  • Kent State University
  • LeTourneau University
  • Linfield College
  • Longwood University
  • Madison College
  • Methodist University
  • Miami University
  • Montclair State University
  • Montgomery College
  • Morgan State University
  • Northern Arizona University
  • Oakland University
  • Ohio Northern University
  • Oregon State University
  • Pace University
  • Pacific University
  • Pepperdine University
  • Princeton University
  • Radford University
  • Rice University
  • Rowan University
  • Rutgers University
  • Sam Houston State University
  • Southern Alberta Institute of Technology
  • Springfield College
  • Stony Brook University
  • Suffolk County Community College
  • Susquehanna University
  • Tennessee Tech University
  • Texas State University
  • Troy University
  • Truman State University
  • University of California, Davis
  • University of Delaware
  • University of Denver
  • University of Idaho
  • University of Maine System
  • University of Maryland Baltimore
  • University of Massachusetts Amherst
  • University of Oregon
  • University of Portland
  • University of Rhode Island
  • University of Richmond
  • University of Tennessee, Knoxville
  • The University of Texas at Austin
  • Virginia Tech
  • West Texas A&M University
  • West Virginia University
  • Western Carolina University
  • Western Michigan University
  • William & Mary
  • Williams College
  • Yavapai College

What is in the HECVAT Toolkit?

The Higher Education Community Vendor Assessment toolkit or HECVAT tools include:

UpGuard offers security questionnares for both HECVAT Lite and HECVAT Full.

Learn about UpGuard's security questionnare features >

Should I Rely Solely on HECVAT?

While HECVAT is a great security assessment template, it doesn't form a complete vendor risk management program.  

HECVAT is a point-in-time assessment that is static and subjective. It doesn't account for the changes that can occur after you receive the complete security assessment from a vendor. 

This is why security ratings are important. Security ratings are a data-driven, objective, and dynamic measure of a vendor's security posture

Third-party risk management teams commonly use them to monitor and benchmark vendors continuously.

Security ratings are calculated based on objective, externally observable, continuously available, and verifiable information. This means that they are always up-to-date and complement traditional security assessments. 

According to Gartner, cybersecurity ratings will become as important as credit ratings when assessing the risk of existing and new business relationships…these services will become a precondition for business relationships and part of the standard of due care for providers and procurers of services.

Additionally, the services will have expanded their scope to assess other areas, such as cyber insurance, due diligence for M&A, and even as a raw metric for internal security programs.

Additionally, many security leaders find security ratings invaluable in increasing security awareness, managing cybersecurity performance, and reporting cybersecurity metrics to their Board of Directors, C-Suite, and even shareholders.

Learn how to achieve a good HECVAT score >

How UpGuard Supports HECVAT Compliance

UpGuard’s Vendor Risk Management solution includes HECVAT-specific security questionnaires for both HECVAT full and HECVAT lite, allowing both education entities and their suppliers to track compliance efforts.

HECVAT security questionnaires on the UpGuard platform
HECVAT security questionnaires on the UpGuard platform

By also helping helping organizations detect and mitigate third-party security risks, UpGuard helps educational entities reduce the potential of student data being compromised in third-party data breaches.

Ready to see
UpGuard in action?