The Higher Education Community Vendor Assessment Toolkit (HECVAT) helps higher education mitigate the impact of security risks of vendor relationships offering cloud-based services.

With supply chain attacks on the rise, and vendor risks ranking in the top three initial attack vectors for data breaches, HECVAT compliance is becoming a mandatory requirement for partnering with higher education institutions.

Whether you’re a third-party vendor hoping to expand into the education sector or you’ve been requested to comply with HECVAT, this compliance guide will help. To get the most value from this post, download its accompanying checklist.

A Quick Overview of HECVAT 

HECVAT was established by the Higher Education Information Security Council (HEISC) and the Shared Assessments Working Group in collaboration with Internet2 and REN-ISAC.

The objective of HECVAT is to allow higher education institutions to continue leveraging the operational benefits of cloud service providers while minimizing the impact of their security risks.

Learn more about inherent and residual risks >

There are two parties involved in the HECVAT assessment process:

  • Higher Ed institutions - HECVAT compliance confirms a vendor is following best data protection practices. This, in turn, confirms the vendor has cybersecurity controls in place to mitigate the impact of sensitive data compromise in the event of a data breach attempt.
  • Third-Party Vendors - Third-party vendors that are HECVAT compliant increase their likelihood of forming business relationships in the education sector.

HECVAT was originally known as the Higher Education Cloud Vendor Assessment Tool, which was comprised of a lengthy list of security questions. With its name change, HECVAT evolved into an entire toolkit to support risk management for all third-party service providers, not just cloud services.

Learn about the state of University cybersecurity >

HECVAT’s toolkit now offers multiple tools to accommodate the unique cyber security risk management requirements of different educational institutions and third-party service providers.

  • HECVAT Full - This is HECVAT’s most comprehensive security assessment. The 250 questions in HECVAT full offer the highest level of scrutiny for security controls protecting Personal Identifiable Information (PII).
  • HECVAT Lite - This HECVAT tool is a more concise version of HECVAT full. This risk assessment is suitable for vendors that don’t process critical data.
  • HECVAT On-Premise - HECVAT’s on-premise assessment is used to evaluate on-premise appliances processing PII.
  • HECVAT Triage - This assessment is intended for Edu institutions only, not vendors. The Triage assessment helps education entities document their data sharing intentions so they can be shared with prospective vendors.

Learn more about HECVAT >

HECVAT Compliance Checklist

The following checklist can be used as a template for a HECVAT-compliant cybersecurity program. Many components need to be addressed when assessing HECVAT compliance. For brevity, only the primary HECVAT compliance components are outlined below. You can download a complete HECVAT compliance checklist by following the link below.

Download the complete HECVAT compliance checklist >

1. Identify Which HECVAT Tier Applies to You

The first step towards HECVAT compliance is understanding which tier within the toolkit applies to your organization. To help you decide, here’s an overview of the different use cases for each assessment:

Who should complete HECVAT full?

HECVAT full should be completed by service providers processing critical customer data, such as Personal Identifiable Information (PII).

Learn what constitutes a PII classification >

Vendors that should complete a HECVAT full don’t necessarily fit into an objective category. Data sensitivity scales differ across each organization, and you might decide that vendors required to comply with HIPAA should also complete a HECVAT full assessment.

Thankfully, this decision isn’t entirely driven by intuition. A quantitative answer can be derived by mapping your data classification policies to HECVAT’s security control list (this can be found in the third tab of the HECVAT full assessment).

The HECVAT Full assessment can be accessed via the Educause website.

Who should complete HECVAT Lite?

HECVAT lite should be completed by service providers that do not process Personal Identifiable Information, either within cloud solutions or on-premise appliances.

If you’re not sure whether your processes involve PII, a HECVAT full assessment should be completed just to be safe.

The HECVAT Lite assessment can be accessed via the Educause website.

Who should complete HECVAT On-Premise?

Service providers with appliances or software processing critical information on their premises should complete the on-premise assessment.

The HECVAT On-Premise assessment can be accessed via the Educause website.

Who should complete HECVAT Triage?

HECVAT triage should ideally be completed by all educational institutions exercising any form of private data sharing. Triage assessments are often requested in the risk assessment process during security posture audits of educational institutions.

Learn more about security assessments >

Keep in mind that all of the free HECVAT assessments on the Educause website are available in xls format, and managing spreadsheet questionnaires is not a best practice for a scalable VRM program.

A vendor assesment management solution that includes a HECVAT questionnaire template should be utilized for ease of use.

Learn how to scale your VRM program >

2. Identify Your Data Sharing Thresholds

This step is only applicable to educational institutions. Complete a HECVAT triage to map all of your data-sharing engagements and the data centers institutional data is stored in - including flows between SaaS solutions. This effort may also require you to map the digital footprint of your information technology ecosystem.

The data collected from a triage assesment will paint a picture of data sharing thresholds, information that will inform the definition of your risk appetite.

3. Map Your Data Sharing Thresholds to Your Risk Appetite

The result from your triage assessment may prompt a re-evaluation of your risk appetite. After comparing the two profiles, you may find that your risk appetite needs to be adjusted for any security risks associated with overlooked data sharing practices.

A well-defined risk appetite will keep all data processing efforts, including those involved in procurement processes, within HECVAT’s recommended boundaries.

Learn how to calculate your risk appetite >

4. Identify any Security Control Gaps Between HECVAT and Your Cybersecurity Program

It’s important to understand that the HIgher Education Community Vendor Assessment Tool (HECVAT) was not designed from the ground up. Its features were influenced by a variety of regulations and cybersecurity frameworks, including HIPAA and PCI DSS. Even the structure of SOC reports, particularly the self-disclosure components, played a role in molding the final HECVAT assessment program.

Because HECVAT maps to multiple regulations and vendor risk management standards, you may already have security controls in place supporting HECVAT compliance. You can confirm this by comparing HECVAT’s list of recommended controls against your own.

HECVAT’s list of controls and guidelines can be found in the third tab of the HECVAT full assessment.

A deeper understanding of your security control management process will reveal the true strength of your business continuity, disaster recovery and incident response plans.

Learn how to achieve an acceptable HECVAT score >

Is HECVAT Sufficient for Managing Vendor Risks for Higher Education Institutions?

HECVAT offers educational entities a roadmap for improving their vendor security, but it fails to address the complete scope of Vendor Risk Management (VRM).

HECVAT is essentially just a security questionnaire, which is just a single component of a Vendor Risk management program within the risk assessment category.

The Vendor Risk Management lifecycle is comprised of 4 stages:

  1. Risk assessments - Used to uncover vulnerabilities and third-party risks. They’re often thematic, mapping to HECVAT. and other frameworks like NIST CSF.
  2. Remediation planning - Intelligent prioritization of vendor risk with the highest potential negative impact on security postures.
  3. Ongoing monitoring - Ongoing monitoring of the internal and third-party attack surface through security ratings and data leak detection scans.
  4. Threat discovery - Discovery of new residual risk from monitoring efforts.

UpGuard offers a complete end-to-end vendor risk management solution to help education entities address the complete scope of vendor security. UpGuard also offers HECVAT-specific security questionnaires to help education entities and suppliers track their cybersecurity performance against HECVAT's security standards.

HECVAT security questionnaires on the UpGuard platform
HECVAT security questionnaires on the UpGuard platform

Because HECVAT maps to a series of security frameworks, such as NIST CSF, ISO 27002, HIPAA, CIS Critical Security Controls, etc., ensuring alignment against these frameworks may simplify HECVAT compliance efforts. 

With a platform like UpGuard, you can track your alignment efforts against popular cyber frameworks like NIST CSF. Watch the video below for an overview of UpGuard's compliance reporting features in this area.

Ready to see
UpGuard in action?