What are the different versions of HECVAT?

Its purpose is to provide a baseline assessment for evaluating vendor-provided services and resources in higher education. The framework is relevant to anyone who works in higher education or for a solution provider that serves colleges and universities.

Over the years, universities have become more agile and efficient as they migrate their solutions to the cloud and employ third-party services for everything from maintenance work and administration to student recruitment and alumni engagement. Data protection and security are becoming top priorities for school IT teams and their leaders as technology evolves. This means that HECVAT compliance, as well as HECVAT certification, will quickly become a necessity for many institutions.

The latest version for vendors (Full, Lite and/or On-Premise) is v.2.11 – 2019 and the latest version for institutions (Triage) is v.2.1 – 2019.

What Are the Versions of HECVAT?

HECVAT is a suite of tools that allows colleges and universities to select the correct assessment for their needs. It is completely free of charge. There are four HECVAT tools: Full, Lite, On-Premise, and Triage. 

The Full, Lite, and On-Prem worksheets are for vendors to complete. Vendors that want to provide an Institution with software and/or a service must comlete these worksheets. An Institution entity should not complete the three worksheets. The purpose of these worksheets is for the vendor to submit robust security safeguard information regarding the product (software/service) being assessed in the Institution’s assessment process. 

• HECVAT – Full: Robust questionnaire for the most critical data-sharing engagements (over 250 questions)
• HECVAT – Lite: A lightweight version of the full assessment used for an expedited or less-critical process 
• HECVAT – On-Premise: A unique questionnaire for evaluating on-premise appliances and software 

The Triage tool is an option for institutions to complete if they are interested. 

• HECVAT – Triage: This worksheet is for Institution requestors interested in sharing institutional data with third-party software and/or a service. It should not be completed by a vendor. The purpose of this form is to document and summarize data sharing intents, data sharing scope, data elements, and technology requirements. Populating a HECVAT Triage is a prerequisite to initiate a risk/security assessment. It helps to determine assessment requirements.