HECVAT Vendor Risk Framework
What is HECVAT?
The Higher Education Community Vendor Assessment Toolkit (HECVAT) is a risk assessment template that was created in 2016 specifically for higher education institutions to assess vendor risk. HECVAT was created by the Higher Education Information Security Council (HEISC) Shared Assessments Working Group, in collaboration with Internet2 and REN-ISAC. Its purpose is to provide a baseline assessment for evaluating vendor-provided services and resources in higher education. This framework is relevant to anyone who works in higher education, or for a solution provider that serves colleges and universities.
Over the years, universities have become more agile and efficient as they migrate their solutions to the cloud and employ third-party services for everything from maintenance work and administration to student recruitment and alumni engagement. As technology evolves, data protection and security are becoming top priorities for school IT teams and their leaders. This means that understanding and leveraging HECVAT will quickly become a necessity for many institutions.
Colleges and Universities can require a HECVAT assessment from a potential solution provider before purchasing its third-party solution. By having the solution provider complete HECVAT, the institution verifies that cybersecurity controls, policies and procedures are in place to protect sensitive institutional information and constituents' PII (personally-identifiable information).
Solution Providers can complete the assessment tool which can then be used by multiple institutions to streamline procurement processes with its higher ed clients. Over 100 academic institutions already use HECVAT, and more than 30 vendors have made their HECVAT assessments available online at REN-ISAC.
The latest version for vendors (Full, Lite and/or On-Premise) is v.2.11 - 2019 and the latest version for institutions (Triage) is v.2.1 - 2019.
What are the requirements for HECVAT?
HECVAT is a suite of tools that allows colleges and universities to select the correct assessment for their needs. It is completely free of charge. There are four HECVAT tools: Full, Lite, On-Premise and Triage.
The Full, Lite and On-Prem worksheets are for vendors to complete. These are vendors that are interested in providing an Institution with a software and/or a service. The three worksheets should not be completed by an Institution entity. The purpose of these worksheets is for the vendor to submit robust security safeguard information in regards to the product (software/service) being assessed in the Institution's assessment process.
HECVAT – Full: Robust questionnaire for the most critical data-sharing engagements (over 250 questions)
HECVAT – Lite: A lightweight version of the full assessment used for an expedited or less-critical process
HECVAT – On-Premise: A unique questionnaire for evaluating on-premise appliances and software
The Triage tool is an option for institutions to complete if they are interested.
HECVAT – Triage: This worksheet is for Institution requestors interested in sharing institutional data with a third-party software and/or a service. It should not be completed by a vendor. The purpose of this form is to document and summarize data sharing intents, data sharing scope, data elements, and technology requirements. Populating a HECVAT Triage is a prerequisite to initiate a risk/security assessment. It helps to determine assessment requirements
The Community Broker Index (CBI) provides an up-to-date list of vendors who are willing to share their completed HECVAT. Security assessors at colleges and universities can utilize the posted assessment, saving time for both security assessors and service providers. Vendors who shared their assessments include Fortinet, Google, LastPass, and more.
Why should you be HECVAT compliant?
Universities are a lucrative target for hackers and threat actors, and the number of attacks continues to increase every year. The cost of a data or privacy breach can lead to significant monetary loss and reputational damage. However, without a consolidated approach, academic institutions use outdated and manual solutions, which simply aren’t helping to ensure compliance and security.
HECVAT helps in these key areas:
Assists higher education institutions with ensuring that cloud services are appropriately assessed for security and privacy needs, including some that are unique to higher education
Allows a consistent, easily-adopted methodology for campuses wishing to reduce costs through cloud services without increasing risks
Reduces the burden that cloud service providers face in responding to requests for security assessments from higher education institutions
By not implementing the HECVAT assessments, solution providers risk losing out on business opportunities as organizations will prefer HECVAT compliant vendors over non-compliant providers.
Universities that don’t mandate HECVAT for all their third party software significantly increase the likelihood of unknown vulnerabilities which can result in devastating breaches.
HECVAT is a necessary solution for universities that employ third-party tech services and solutions and for vendors to prove their worth.
How to Achieve Compliance?
Universities benefit from the HECVAT tools by assessing potential vendors through the latter’s HECVAT assessments. It is easy to lose track of all the information. Furthermore, vendors trying to utilize HECVAT may get confused as to which tool is the right fit for them and how to go about the implementation.
Fortunately, academic institutions and vendors can use Centraleyes to manage their HECVAT assessments with visual dashboards and customized reports.
Higher Education Institutions: Centraleyes simplifies your ongoing third-party risk management process. With Centraleyes, your cyber risk team can easily and quickly:
Manage the HECVAT results of hundreds of vendors simultaneously from one centralized interface
Categorize and compare vendors using their HECVAT score along an objective scoring system to quantify risk probability and potential impact levels
Vendors can complete their required HECVAT assessments through Centraleyes’s smart questionnaires which will then be uploaded to REN-ISAC, joining the CBI list of service providers willing to share their completed assessments
Security assessors at academic institutions can utilize your posted assessment saving you valuable time and resources
Using Centraleyes for all your HECVAT requirements is a game changer, significantly streamlining the entire vendor management process. The cyber risk team will have full visibility into the risk posture of the entire supply chain.