HECVAT (Higher Education Community Vendor Assessment Toolkit) is a security assessment questionnaire that measures the cybersecurity risk of third-party vendors for higher education institutions. It helps universities ensure that their third-party vendors have implemented proper security practices and policies, which are measured against a comprehensive list of security controls, to protect the large amounts of sensitive data and personally identifiable information (PII) they manage.
Why Was the HECVAT Created?
The creation of the Higher Education Cloud Vendor Assessment Tool (HECVAT), which has now been renamed to the Higher Education Community Vendor Assessment Tool (HECVAT) to reflect its intended use beyond the cloud better, was driven by the following trends:
- The increasing number of third-party vendors the average university or college uses
- The need to protect the PII of constituents due to the increasing number of extraterritorial data protection laws such as PIPEDA, GDPR, LGPD, the SHIELD Act, and FIPA
- The increasing trend of data breaches caused by insecure procurement processes.
- The need to protect institutional information and sensitive data
- The increasing size and frequency of first, third, and fourth-party data breaches and data leaks
- The growth in cloud services and cloud providers
HECVAT was created by the Higher Education Information Security Council (HEISC) Shared Assessments Working Group in collaboration with Internet2 and REN-ISAC by crowdsourcing various vendor assessments and analyzing which regulations worked best for different higher ed situations.
What are the Benefits of Using HECVAT?
HECVAT allows higher education security teams to operate more efficiently, by helping ensure that cloud services are appropriately assessed for security and privacy needs, including those unique to higher education institutions.
HECVAT aims to reduce costs through cloud services without increasing cybersecurity risk while reducing the burden cloud service providers face when responding to security assessment requests from higher education institutions.
Several cloud providers, such as Google, have completed the HECVAT questionnaire and provided their HECVAT assessments on the Cloud Broker Index (CBI).
The CBI provides an up-to-date list of vendors who have willingly shared their complete HECVAT, allowing security assessors at colleges and universities to use the posted assessment, saving both sides time.
Learn how to comply with HECVAT.
From a vendor’s perspective, preemptively demonstrating HECVAT compliance to prospects could significantly speed up the sales cycle since SaaS products often require IT and procurement approval.
These completed assessments - and any other relevant security documentation - can be uploaded to a user's Trust Page (formerly Shared Profile) on the UpGuard platform so that they can be conveniently shared with prospects.
.png)
Why is HECVAT Important?
HECVAT is important because higher education institutions rely heavily on outsourcing and on-sourcing, introducing potential vendor risk.
Higher education is outsourcing more because good vendors provide benefits, including:
- Specialization: Many products or services are so specialized that outsourcing to a dedicated company will provide better performance and a lower level of risk than performing the function in-house, e.g., accounting, appraisal management, internal audit, human resources, sales and marketing, loan review, asset and wealth management, procurement or loan servicing.
- Cost savings: Many vendors offer goods or services at a lower cost than if they were processed internally.
As a security questionnaire, HECVAT forms an important part of proper Vendor Risk Management.
Learn why vendor risk management is important >
Who Uses HECVAT?
The intended audiences for HECVAT are colleges, universities, and the third-party service providers they contract to. According to EDUCAUSE, dozens of leading organizations have adopted HECVAT to measure the potential risks to their university, campus, and student body from third and fourth parties, including:
- American University
- Appalachian State University
- Art Institute of Chicago
- Bates College
- Baylor University
- Berry College
- Black Hills State University
- Boston College
- Bowling Green State University
- Brown University
- California Baptist University
- California State University, all Campuses, and System
- Carnegie Mellon University
- Carthage College
- Champlain College
- Clarkson University
- Columbus State Community College
- Cornell University
- Davidson College
- Denison University
- DeSales University
- Drake University
- Drexel University
- Duquesne University
- East Carolina University
- Ferris State University
- Foothill-De Anza Community College District
- Franklin & Marshall College
- Gallaudet University
- Georgia Institute of Technology
- Hillsborough Community College
- Indiana University
- Indiana Wesleyan University
- Institute for Advanced Study
- John Carroll University
- Kent State University
- LeTourneau University
- Linfield College
- Longwood University
- Madison College
- Methodist University
- Miami University
- Montclair State University
- Montgomery College
- Morgan State University
- Northern Arizona University
- Oakland University
- Ohio Northern University
- Oregon State University
- Pace University
- Pacific University
- Pepperdine University
- Princeton University
- Radford University
- Rice University
- Rowan University
- Rutgers University
- Sam Houston State University
- Southern Alberta Institute of Technology
- Springfield College
- Stony Brook University
- Suffolk County Community College
- Susquehanna University
- Tennessee Tech University
- Texas State University
- Troy University
- Truman State University
- University of California, Davis
- University of Delaware
- University of Denver
- University of Idaho
- University of Maine System
- University of Maryland Baltimore
- University of Massachusetts Amherst
- University of Oregon
- University of Portland
- University of Rhode Island
- University of Richmond
- University of Tennessee, Knoxville
- The University of Texas at Austin
- Virginia Tech
- West Texas A&M University
- West Virginia University
- Western Carolina University
- Western Michigan University
- William & Mary
- Williams College
- Yavapai College
What is in the HECVAT Toolkit?
The Higher Education Community Vendor Assessment toolkit or HECVAT tools include:
- HECVAT Full - HECVAT Full is the complete security assessment that includes all 22 categories and 265 questions designed for vendors handling the most critical data. HECVAT Full categories also include assessments for HIPAA and PCI-DSS compliance.
- HECVAT Lite - HECVAT Lite covers 14 sections of the 22 available and removes questions related to HIPAA and PCI-DSS. There are only 62 questions in the Lite version, which helps save time for vendors that aren’t handling critical data.
- HECVAT On-Premise - HECVAT On-Premise is the shortest version of the tool, consisting of 11 different categories and 55 questions. Vendors that don’t use cloud services and only use on-premise appliances and software can use On-Premise to assess their security risks.
There is a fourth tool, called HECVAT Triage, which vendors or schools can use to determine which of the three main versions of HECVAT they need for their vendor risk assessment.
Should I Rely Solely on HECVAT?
While HECVAT is a great security assessment template, it doesn't form a complete vendor risk management program.
HECVAT is a point-in-time assessment that is static and subjective. It doesn't account for the changes that can occur after you receive the complete security assessment from a vendor.
This is why security ratings are important. Security ratings are a data-driven, objective, and dynamic measure of a vendor's security posture.
Third-party risk management teams commonly use them to monitor and benchmark vendors continuously.
Security ratings are calculated based on objective, externally observable, continuously available, and verifiable information. This means that they are always up-to-date and complement traditional security assessments.
According to Gartner, cybersecurity ratings will become as important as credit ratings when assessing the risk of existing and new business relationships…these services will become a precondition for business relationships and part of the standard of due care for providers and procurers of services.
Additionally, the services will have expanded their scope to assess other areas, such as cyber insurance, due diligence for M&A, and even as a raw metric for internal security programs.
Additionally, many security leaders find security ratings invaluable in increasing security awareness, managing cybersecurity performance, and reporting cybersecurity metrics to their Board of Directors, C-Suite, and even shareholders.
Learn how to achieve a good HECVAT score >
Integrating HECVAT into Your VRM Program
Establishing HECVAT as part of your VRM program requires a series of steps to ensure that the program is formalized and complete. An effective third-party risk management program should cover all aspects of the vendor lifecycle, including the following:
- Initial risk assessment and vendor screening
- Vendor onboarding process
- Audit and review process
- Reporting expectations
- Continuous vendor monitoring
- Data sharing thresholds
- Risk acceptance levels
- Regulatory compliance
- Vendor relationship management
While the HECVAT is a powerful core assessment tool, it’s important to note that it shouldn’t be the only one used to establish a system of controls and assessments. Other compliance certifications should also be used with HECVAT to ensure that all the bases are covered. Schools should also consider using dedicated VRM solutions, like UpGuard, which can help assess vendors with automated software and workflows.
The integration process consists of three main steps, each with its own set of steps:
- Preparation
- Integration
- Management
Here’s how your organization can begin to implement a strong VRM program with HECVAT:
Preparing for a VRM Program using HECVAT
Here are some actionable items that should be completed before establishing HECVAT as part of the VRM program:
Identify Which HECVAT Version the Vendor Needs
Schools need to understand and identify the use case and type of data the vendor is working with to provide them with the correct version of HECVAT. Vendors working with non-critical data won’t need to complete HECVAT Full and could spend unnecessary time trying to meet standards that don’t apply to them. Conversely, vendors working with critical data need to be HECVAT Full-compliant to ensure that they meet all the requirements.
Ideally, all schools should complete HECVAT Triage to determine the correct version the vendor needs to complete.
Determine Risk Acceptance Levels
During the risk assessment process, schools need to determine the level of risk they are willing to accept before agreeing to partner with the vendor. All vendors will have some risk that needs to be remediated, but if they don’t meet the minimum standards set by the institution, their risk profile may be too large to accept.
In addition to their HECVAT score, schools should create their own internal grading system or checklist to determine if the risks involved are minimal enough to resolve and if the importance of the vendor is worth taking on the risk. Schools can customize their evaluation criteria to determine what risks are non-negotiable based on their long-term business goals.
Consider Outsourcing Dedicated VRM Solutions
Vendor relationship management is a crucial part of VRM, and with hundreds or thousands of vendors to manage, using a manual process with folders and spreadsheets creates room for error and inefficiencies. It can also be time-consuming and resource-intensive, which is why schools should consider using dedicated VRM solutions.
Automation is a big part of any vendor risk management program because it allows schools to assess vendor risks, manage security questionnaires like HECVAT, gain an overview of their vendors, and track vendor progress on a single dashboard. Additionally, the VRM solution can send out and collect questionnaire responses automatically, saving valuable time and energy.
Integrating HECVAT into the VRM Program
Once preparation and planning are complete, you can begin to integrate HECVAT into your VRM program:
Requesting HECVAT from Vendors
Whether newly onboarded or long-time partners, schools can request that vendors complete HECVAT based on the version assigned to them. Once completed, the school needs to collect and evaluate the results to move on to the next step.
In the same communication, schools can also request certifications, questionnaires, and any other required documentation as part of their new VRM program.
Assess Vendor Risk and Identify Security Gaps
Once HECVAT results have been submitted during the procurement process, it’s up to the school and the security team to begin the vendor due diligence process. The first part of the assessment process involves risk tiering, which classifies the vendors by risk level (Low, Medium, High, Critical). If the vendor shows a low HECVAT score, they are immediately classified as a Critical Risk, and further evaluation should be prioritized.
If a potential vendor is being looked at and is classified as either High or Critical Risk, it may not be advisable to work with that specific vendor, depending on the risk acceptance levels that were determined. If this is the case, schools should reject that vendor and seek new alternatives.
However, if an essential vendor has poor HECVAT scores, its risk remediation processes should be prioritized to limit the risk of a security breach or data exposure. Dedicated VRM solutions can also quickly assess security postures with instant security ratings and questionnaires.
Catalog Vendors and Begin Prioritizing Risk Remediation
Schools should create a complete vendor catalog or list as part of the vendor relationship management process once the vendor meets minimum security requirements. Having a complete list of vendors also helps prioritize remediation processes based on their level of risk.
Schools can begin risk and vulnerability remediation by prioritizing high-risk vendors that handle the most sensitive data. Although the goal is to ensure that all risks have been fixed, this creates a better workflow to organize vendor security. A great way to keep an accurate catalog of vendors and their security postures is through a dedicated solution like UpGuard Vendor Risk.
Managing VRM Programs with HECVAT
Successful VRM programs don’t stop after the assessment portion — they must continue to scale and mature over time to keep up with growing cyber threats.
Practice Continuous Monitoring
Essentially, VRM programs should work around the clock to identify data leaks, potential security breaches, and unpatched vulnerabilities. Whether it’s an IT team actively monitoring third-party security or automated software from a VRM solution, maintaining visibility into the vendors' security postures is one of the most important things to do.
Especially regarding supply chain risk, schools need to consider an attack surface monitoring tool to continuously monitor all potential cyber risks and risk entry points, which includes third and fourth parties.
Perform Annual Audits and Reviews
Higher education schools can require vendors to complete HECVAT annually to ensure they are keeping their data security practices up. Vendors that have fallen behind should be quickly identified and alerted, or if they consistently maintain poor security, it may be time to find a replacement.
This step can also include any other vendor assessments and isn’t limited to an annual assessment. In some cases, bi-annual assessments may be necessary to identify third-party risks.
Learn more about how to perform cybersecurity audits for colleges and universities here.
Build a Vendor Maturity Model
As the organization grows, vendor security must grow along with it. Different vendors will be at different stages of the maturity model, but it’s important to identify at which stage the vendor is so that their maturity can be measured and tracked. The maturity model also provides a framework for the vendor to develop a strategy and pathway to improve its security programs.
An example of a vendor maturity model can include the following pathways:
- Startup or no third-party risk management
- Initial vision and ad hoc activity
- Approved roadmap and ad hoc activity
- Defined and established security
- Fully implemented and operational
- Continuous improvement and independence
How UpGuard Supports HECVAT Compliance
UpGuard’s Vendor Risk Management solution includes HECVAT-specific security questionnaires for both HECVAT full and HECVAT lite, allowing both education entities and their suppliers to track compliance efforts.
By also helping helping organizations detect and mitigate third-party security risks, UpGuard helps educational entities reduce the potential of student data being compromised in third-party data breaches.
