It seems relevant to talk about security, especially in times when the giant and ever-broadening hack of our nation’s networks is beginning to actively impact IT in higher education. We do have more to say later about the hack and what it means for Higher Ed, but for the moment, let’s focus on prevention and a terrific tool: The HECVAT
The Higher Education Community Vendor Assessment Tool (HECVAT) is a security assessment template focused on the data handling and protection procedures that have been implemented by vendors. The HECVAT attempts to standardize higher education information security and data protection questions, along with issues regarding cloud services, for consistency and ease of use.
The HECVAT has various versions that are free to use and provide a consistent, streamlined third-party risk assessment framework. There are three versions:
The HECVAT is based on a combination of vendor risk management best practices and common security control requirements that has been consolidated from multiple sources.
In cybersecurity, there are a few industries that are always part of the conversation, including: healthcare, finance, government and, more recently, higher education.
The creation of the Higher Education Cloud Vendor Assessment Tool (HECVAT), which has now been renamed to the Higher Education Community Vendor Assessment Tool (HECVAT) to better reflect its intended use beyond the cloud, was driven by the following trends:
The HECVAT was created by the Higher Education Information Security Council (HEISC) Shared Assessments Working Group, in collaboration with Internet2 and REN-ISAC by combining various vendor assessments and analyzing which regulations worked best for different higher education situations.
The HECVAT is important because institutions of higher education are heavily reliant on outsourcing and on-sourcing – introducing potential vendor risk. By utilizing a standardized assessment, schools benefit from the time and effort that went into building the HECVAT, while vendors can respond thoroughly to the questions using a consistent format. Together, this helps avoid the frustration of having to respond to individualized questionnaires.
Higher education outsources because vendors provide benefits including:
As a security questionnaire, the HECVAT forms an important part of a robust vendor risk management (VRM) program.
The HECVAT allows higher education security teams to operate more efficiently, by helping ensure that cloud (and other) services are appropriately assessed for security and privacy needs – including those unique to higher education institutions.
The HECVAT aims to allow adoption of cloud services to reduce costs and simplify operations without increasing cybersecurity risk. At the same time, it reduces the burden that service providers face when responding to security assessment requests from institutions of higher education.
The intended audiences for the HECVAT are colleges, universities, and the third-party service providers to which they contract. According to EDUCAUSE, more than 100 leading organizations have adopted the HECVAT to measure the potential risks to their university, campus, and student body from third and fourth-parties.
The Higher Education Community Vendor Assessment toolkit includes:
Most simply, institutions may request a third party to supply a version of the HECVAT from the toolkit to meet their needs as part of their assessment and selection process. Vendors must answer all the questions and provide data and evidence to support their responses. A conditional score is given, with above a 70% being the expected minimum score. Some of the answers are highlighted for review by the institution and often follow-up questions may be requested of the third party.
A useful response is typically thorough and will often include links to supporting information, including: policies, additional documentation, and results of security audits, etc.
The HECVAT gives you a great tool to screen potential vendors for how serious they really are about keeping your data secure. Vendors who have posted on the CBI, or have a readily available assessment, have made the investment in security and making their level of seriousness easy to audit. It is a great security assessment filter.
Of course, on top of the HECVAT, your institution should make sure the prospective vendor can meet your particular requirements.
A number of cloud providers, such as Google (and WPS) have already completed the HECVAT questionnaire and provide their assessments on the Cloud Broker Index (CBI).
The CBI provides an up-to-date list of vendors who have willingly shared their completed HECVAT, allowing security assessors at colleges and universities to use the posted assessment, saving both sides time.
Watchman Payment Systems posted its assessment to the CBI for its STEP platform so prospective customers can evaluate its security processes, directly. Alternatively, Watchman’s HECVAT is available upon request.