Understanding HECVAT: Essential Insights from HECVAT Pro
Higher education institutions often outsource various services, from accounting to procurement, to third-party vendors. While outsourcing can provide numerous benefits, such as specialization and cost savings, it can also introduce potential vendor risks. As a result, it is crucial for universities and colleges to assess their third-party vendors’ security and privacy needs.
The Higher Education Community Vendor Assessment Tool (HECVAT) was developed to provide a standardized security assessment template that addresses higher education’s unique information security and data protection issues regarding cloud services. The HECVAT assessment aims to reduce cybersecurity risks and cut down on costs associated with vendor risk management by combining best practices and common security control requirements.
The HECVAT has three free versions that map to popular cybersecurity frameworks, including ISO 27002, NIST CSF, NIST 800-171, and PCI DSS.
The original version (HECVAT Full) includes 265 questions, including qualifying questions for HIPAA and PCI-DSS opt-in. The lightweight version (HECVAT Lite) is a streamlined questionnaire designed to expedite the assessment process. Finally, the on-premise version is a unique questionnaire used to evaluate on-premise applications and software.
The HECVAT was created by the Higher Education Information Security Council (HEISC) Shared Assessments Working Group in collaboration with Internet2 and REN-ISAC by crowdsourcing various vendor assessments and analyzing which regulations worked best for different higher education situations.
Benefits of Using HECVAT
By using HECVAT, higher education security teams can operate more efficiently, ensuring that cloud services are adequately assessed for security and privacy needs. It also helps to reduce the burden that cloud service providers face when responding to security assessment requests from higher education institutions.
HECVAT aims to reduce costs associated with cloud services while not increasing cybersecurity risk. Several cloud providers, such as Google, have completed the HECVAT questionnaire and provided their HECVAT assessments on the Cloud Broker Index (CBI). The CBI provides an up-to-date list of vendors who have willingly shared their complete HECVAT, allowing security assessors at colleges and universities to use the posted assessment, saving both sides time.
From a vendor’s perspective, preemptively demonstrating HECVAT compliance to prospects could significantly speed up the sales cycle since SaaS products often require IT and procurement approval. These completed assessments – and any other relevant security documentation – can be uploaded to a Shared Profile on the UpGuard platform so that they can be conveniently shared with prospects.
Who Uses HECVAT?
The intended audiences for HECVAT are colleges, universities, and the third-party service providers they contract to. According to EDUCAUSE, dozens of leading organizations have adopted HECVAT to measure the potential risks to their university, campus, and student body from third and fourth parties.
What is in the HECVAT Toolkit?
The HECVAT toolkit includes Cloud Broker Index, HECVAT Full Version, HECVAT Lite, On-Premises, and Triage. UpGuard offers security questionnaires for both HECVAT Lite and HECVAT Full.
Should You Rely Solely on HECVAT?
While HECVAT is a great security assessment template, it doesn’t form a complete vendor risk management program. HECVAT is a point-in-time assessment that is static and subjective. It doesn’t account for changes that can occur after you receive the complete security assessment from a vendor.
This is why security ratings are important. Security ratings are a data-driven, objective, and dynamic measure of a vendor’s security posture. Third-party risk management teams commonly use them to monitor and benchmark vendors continuously.
Security ratings are calculated based on objective, externally observable, continuously available, and verifiable
