HECVAT (Higher Education Community Vendor Assessment Toolkit) is a security assessment questionnaire that measures the cybersecurity risk of third-party vendors for higher education institutions. It helps universities ensure that their third-party vendors have implemented proper security practices and policies, which are measured against a comprehensive list of security controls, to protect the large amounts of sensitive data and personally identifiable information (PII) they manage. A single data breach or data leak from a third-party service provider could potentially compromise an entire school system and its systems.
More importantly, HECVAT is an essential tool for higher education schools to launch their vendor risk management (VRM) programs. VRM programs are often challenging to implement but enable schools to properly manage third-party security risks. Essentially, HECVAT can help educational institutions establish a basic security framework to monitor third-party vendor risks.
As more schools begin to adopt the use of HECVAT, it will push the entire education industry to improve their overall cybersecurity standards as well, especially for their vendors and suppliers. This article will discuss how schools can begin to integrate HECVAT into their VRM programs and what they need to begin the process.
Understanding the Different Types of HECVAT
HECVAT is a comprehensive template that covers 22 different categories with 265 questions that also coincide with other security frameworks and regulations, such as HIPAA (Health Insurance Portability and Accountability Act), the NIST SP 800-171, ISO 27001, PCI-DSS (Payment Card Industry - Data Security Standards), and SOC 2 compliance among many others.
However, not all higher ed schools will need the entire HECVAT tool, depending on the vendor’s size, the type of data that they handle, or if they simply need a more streamlined process that doesn’t require full compliance with other frameworks.
In effect, there are three versions of HECVAT that schools can choose from:
- HECVAT Full - HECVAT Full is the complete security assessment that includes all 22 categories and 265 questions designed for vendors handling the most critical data. HECVAT Full categories also include assessments for HIPAA and PCI-DSS compliance.
- HECVAT Lite - HECVAT Lite covers 14 sections of the 22 available and removes questions related to HIPAA and PCI-DSS. There are only 62 questions in the Lite version, which helps save time for vendors that aren’t handling critical data.
- HECVAT On-Premise - HECVAT On-Premise is the shortest version of the tool, consisting of 11 different categories and 55 questions. Vendors that don’t use cloud services and only use on-premise appliances and software can use On-Premise to assess their security risks.
There is a fourth tool, called HECVAT Triage, which vendors or schools can use to determine which of the three main versions of HECVAT they need for their vendor risk assessment.
Integrating HECVAT into Your VRM Program
Establishing HECVAT as part of your VRM program requires a series of steps to ensure that the program is formalized and complete. An effective third-party risk management program should cover all aspects of the vendor lifecycle, including the following:
- Initial risk assessment and vendor screening
- Vendor onboarding process
- Audit and review process
- Reporting expectations
- Continuous vendor monitoring
- Data sharing thresholds
- Risk acceptance levels
- Regulatory compliance
- Vendor relationship management
While the HECVAT is a powerful core assessment tool, it’s important to note that it shouldn’t be the only one used to establish a system of controls and assessments. Other compliance certifications should also be used with HECVAT to ensure that all the bases are covered. Schools should also consider using dedicated VRM solutions, like UpGuard, which can help assess vendors with automated software and workflows.
The integration process consists of three main steps, each with its own set of steps:
Here’s how your organization can begin to implement a strong VRM program with HECVAT:
Preparing for a VRM Program using HECVAT
Here are some actionable items that should be completed before establishing HECVAT as part of the VRM program:
Identify Which HECVAT Version the Vendor Needs
Schools need to understand and identify the use case and type of data the vendor is working with to provide them with the correct version of HECVAT. Vendors working with non-critical data won’t need to complete HECVAT Full and could spend unnecessary time trying to meet standards that don’t apply to them. Conversely, vendors working with critical data need to be HECVAT Full-compliant to ensure that they meet all the requirements.
Ideally, all schools should complete HECVAT Triage to determine the correct version the vendor needs to complete.
Determine Risk Acceptance Levels
During the risk assessment process, schools need to determine the level of risk they are willing to accept before agreeing to partner with the vendor. All vendors will have some risk that needs to be remediated, but if they don’t meet the minimum standards set by the institution, their risk profile may be too large to accept.
In addition to their HECVAT score, schools should create their own internal grading system or checklist to determine if the risks involved are minimal enough to resolve and if the importance of the vendor is worth taking on the risk. Schools can customize their evaluation criteria to determine what risks are non-negotiable based on their long-term business goals.
Consider Outsourcing Dedicated VRM Solutions
Vendor relationship management is a crucial part of VRM, and with hundreds or thousands of vendors to manage, using a manual process with folders and spreadsheets creates room for error and inefficiencies. It can also be time-consuming and resource-intensive, which is why schools should consider using dedicated VRM solutions.
Automation is a big part of any vendor risk management program because it allows schools to assess vendor risks, manage security questionnaires like HECVAT, gain an overview of their vendors, and track vendor progress on a single dashboard. Additionally, the VRM solution can send out and collect questionnaire responses automatically, saving valuable time and energy.
Integrating HECVAT into the VRM Program
Once preparation and planning are complete, you can begin to integrate HECVAT into your VRM program:
Requesting HECVAT from Vendors
Whether newly onboarded or long-time partners, schools can request that vendors complete HECVAT based on the version assigned to them. Once completed, the school needs to collect and evaluate the results to move on to the next step.
In the same communication, schools can also request certifications, questionnaires, and any other required documentation as part of their new VRM program.
Assess Vendor Risk and Identify Security Gaps
Once HECVAT results have been submitted during the procurement process, it’s up to the school and the security team to begin the vendor due diligence process. The first part of the assessment process involves risk tiering, which classifies the vendors by risk level (Low, Medium, High, Critical). If the vendor shows a low HECVAT score, they are immediately classified as a Critical Risk, and further evaluation should be prioritized.
If a potential vendor is being looked at and is classified as either High or Critical Risk, it may not be advisable to work with that specific vendor, depending on the risk acceptance levels that were determined. If this is the case, schools should reject that vendor and seek new alternatives.
However, if an essential vendor has poor HECVAT scores, its risk remediation processes should be prioritized to limit the risk of a security breach or data exposure. Dedicated VRM solutions can also quickly assess security postures with instant security ratings and questionnaires.
Catalog Vendors and Begin Prioritizing Risk Remediation
Schools should create a complete vendor catalog or list as part of the vendor relationship management process once the vendor meets minimum security requirements. Having a complete list of vendors also helps prioritize remediation processes based on their level of risk.
Schools can begin risk and vulnerability remediation by prioritizing high-risk vendors that handle the most sensitive data. Although the goal is to ensure that all risks have been fixed, this creates a better workflow to organize vendor security. A great way to keep an accurate catalog of vendors and their security postures is through a dedicated solution like UpGuard Vendor Risk.
Managing VRM Programs with HECVAT
Successful VRM programs don’t stop after the assessment portion — they must continue to scale and mature over time to keep up with growing cyber threats.
Practice Continuous Monitoring
Essentially, VRM programs should work around the clock to identify data leaks, potential security breaches, and unpatched vulnerabilities. Whether it’s an IT team actively monitoring third-party security or automated software from a VRM solution, maintaining visibility into the vendors' security postures is one of the most important things to do.
Especially regarding supply chain risk, schools need to consider an attack surface monitoring tool to continuously monitor all potential cyber risks and risk entry points, which includes third and fourth parties.
Perform Annual Audits and Reviews
Higher education schools can require vendors to complete HECVAT annually to ensure they are keeping their data security practices up. Vendors that have fallen behind should be quickly identified and alerted, or if they consistently maintain poor security, it may be time to find a replacement.
This step can also include any other vendor assessments and isn’t limited to an annual assessment. In some cases, bi-annual assessments may be necessary to identify third-party risks.
Build a Vendor Maturity Model
As the organization grows, vendor security must grow along with it. Different vendors will be at different stages of the maturity model, but it’s important to identify at which stage the vendor is so that their maturity can be measured and tracked. The maturity model also provides a framework for the vendor to develop a strategy and pathway to improve its security programs.
An example of a vendor maturity model can include the following pathways:
- Startup or no third-party risk management
- Initial vision and ad hoc activity
- Approved roadmap and ad hoc activity
- Defined and established security
- Fully implemented and operational
- Continuous improvement and independence
How UpGuard Can Help with HECVAT Integration into VRM Programs
UpGuard is an industry-leading platform that can help manage the entire end-to-end process of VRM. Using proprietary software and easy-to-use dashboards, UpGuard has helped hundreds of companies build their VRM programs from the ground up with instant security ratings, customized security questionnaires, automated leak detection, and comprehensive attack surface monitoring.
UpGuard also offers a pre-built HECVAT questionnaire that educational institutions can send out to their vendors and manage all questionnaire responses in one platform. Risks are automatically identified and tiered based on vendor responses, which the school can decide to waive or escalate based on the vendor. Finally, the expert team of analysts at UpGuard can work with your organization to determine a remediation plan and build a risk assessment workflow to save time and resources.