HECVAT: a powerful tool to assess the security chops of your prospective vendors
Watchman helps you deliver Inclusive Access benefits with easy Automated IA Billing
December 29, 2020
Sponsored Accounts Management (SAM) Makes it Easier for the Campus Store to Administer Aid for Students
January 11, 2021
Let’s talk HECVAT
It seems relevant to talk about security, especially in times when the giant and ever-broadening hack of our nation’s networks is beginning to actively impact IT in higher education. We do have more to say later about the hack and what it means for Higher Ed, but for the moment, let’s focus on prevention and a terrific tool: The HECVAT
The Higher Education Community Vendor Assessment Tool (HECVAT) is a security assessment template focused on the data handling and protection procedures that have been implemented by vendors. The HECVAT attempts to standardize higher education information security and data protection questions, along with issues regarding cloud services, for consistency and ease of use.
The HECVAT has various versions that are free to use and provide a consistent, streamlined third-party risk assessment framework. There are three versions:
- Original version: 265 questions including qualifying questions for HIPAA and PCI-DSS opt-in
- Lightweight version: A lightweight questionnaire used to expedite the process
- On-premise: A unique questionnaire used to evaluate on-premise applications and software
The HECVAT is based on a combination of vendor risk management best practices and common security control requirements that has been consolidated from multiple sources.
Why was the HECVAT created?
In cybersecurity, there are a few industries that are always part of the conversation, including: healthcare, finance, government and, more recently, higher education.
The creation of the Higher Education Cloud Vendor Assessment Tool (HECVAT), which has now been renamed to the Higher Education Community Vendor Assessment Tool (HECVAT) to better reflect its intended use beyond the cloud, was driven by the following trends:
- The increasing number of third-party vendors used by the average university or college
- The need to protect the PII (Personally identifiable Information) of the various campus constituents
- The need to protect institutional information and sensitive data
- The increasing size and frequency of data breaches and data leaks
- The growth in cloud services and cloud providers
The HECVAT was created by the Higher Education Information Security Council (HEISC) Shared Assessments Working Group, in collaboration with Internet2 and REN-ISAC by combining various vendor assessments and analyzing which regulations worked best for different higher education situations.
Why is the HECVAT important?
The HECVAT is important because institutions of higher education are heavily reliant on outsourcing and on-sourcing – introducing potential vendor risk. By utilizing a standardized assessment, schools benefit from the time and effort that went into building the HECVAT, while vendors can respond thoroughly to the questions using a consistent format. Together, this helps avoid the frustration of having to respond to individualized questionnaires.
Higher education outsources because vendors provide benefits including:
- Specialization: Many products or services are so specialized that outsourcing to a dedicated company will provide better performance and a lower level of risk than performing the function in-house.
- Cost savings: Many vendors benefit from economies of scale and are able to offer a good or service at a lower cost than you would be able to achieve internally.
As a security questionnaire, the HECVAT forms an important part of a robust vendor risk management (VRM) program.
What are the benefits of using the HECVAT?
The HECVAT allows higher education security teams to operate more efficiently, by helping ensure that cloud (and other) services are appropriately assessed for security and privacy needs – including those unique to higher education institutions.
The HECVAT aims to allow adoption of cloud services to reduce costs and simplify operations without increasing cybersecurity risk. At the same time, it reduces the burden that service providers face when responding to security assessment requests from institutions of higher education.
Who uses the HECVAT?
The intended audiences for the HECVAT are colleges, universities, and the third-party service providers to which they contract. According to EDUCAUSE, more than 100 leading organizations have adopted the HECVAT to measure the potential risks to their university, campus, and student body from third and fourth-parties.
What is in the HECVAT toolkit?
The Higher Education Community Vendor Assessment toolkit includes:
- Cloud Broker Index – The CBI provides an up-to-date list of vendors who have willingly shared their complete HECVAT
- HECVAT Full Version – Robust questionnaire used to assess the most critical data sharing engagements
- HECVAT Lite – A lightweight questionnaire used to expedite process
- On-Premises – Unique questionnaire used to evaluate on-premise appliances and software
- Triage – Used to initiate risk/security assessment requests – it should be reviewed to determine assessment requirements
The HECVAT process
Most simply, institutions may request a third party to supply a version of the HECVAT from the toolkit to meet their needs as part of their assessment and selection process. Vendors must answer all the questions and provide data and evidence to support their responses. A conditional score is given, with above a 70% being the expected minimum score. Some of the answers are highlighted for review by the institution and often follow-up questions may be requested of the third party.
A useful response is typically thorough and will often include links to supporting information, including: policies, additional documentation, and results of security audits, etc.
Should you rely solely on the HECVAT?
The HECVAT gives you a great tool to screen potential vendors for how serious they really are about keeping your data secure. Vendors who have posted on the CBI, or have a readily available assessment, have made the investment in security and making their level of seriousness easy to audit. It is a great security assessment filter.
Of course, on top of the HECVAT, your institution should make sure the prospective vendor can meet your particular requirements.
Shortcut the assessment process using the CBI
A number of cloud providers, such as Google (and WPS) have already completed the HECVAT questionnaire and provide their assessments on the Cloud Broker Index (CBI).
The CBI provides an up-to-date list of vendors who have willingly shared their completed HECVAT, allowing security assessors at colleges and universities to use the posted assessment, saving both sides time.
Watchman Payment Systems posted its assessment to the CBI for its STEP platform so prospective customers can evaluate its security processes, directly. Alternatively, Watchman’s HECVAT is available upon request.
