Toolkit Streamlines Vendor Security Screening Process

When your institution is buying a new technology solution, this Educause tool can eliminate the tedious work of vetting the security posture of the companies you're considering.

closeup of hands on laptop with padlock icons

You know the drill. Your institution is deciding on a new technology solution. But before your school can sign any contract, your IT team has to find out what security paces that product or service has gone through. Performing IT security reviews is a tedious, time-consuming business for IT, requiring back-and-forth communication between your team members and the vendors to get the same set of questions answered over and over with each subsequent company: Who do you share our data with? Where do you store the data? Do you have a disaster recovery plan?

Even when you have the information in your hands, that's not the end of the work. Somebody has to make sure that whatever the vendor (or sales rep) has told you really meshes with your campus's expectations.

Crowdsourcing the Security Review Process

In 2016, Educause kicked off a working group to come up with a better way to handle security reviews — using crowdsourcing. The result: the Higher Education Cloud Vendor Assessment Tool (HECVAT). The tool was eventually renamed the Higher Education Community Vendor Assessment Toolkit — same acronym — to reflect its use not just with cloud solutions but also with on-premise programs.

In the intervening years, that working group, which includes numerous campus representatives as well as experts from Educause, Internet2 and REN-ISAC, has continued evolving HECVAT through progressive phases.

What HECVAT Looks Like

The full tool, in its latest spreadsheet form, includes hundreds of security-related questions in 22 areas: application security, business continuity, policies and procedures and so on. In the latest year, HIPAA has been added as a topic area along with various ISO and NIST standards. Vendors that develop responses to those questions can file the resulting document with Educause's Higher Education Information Security Council, allowing any institution to do quick vendor security vetting.

REN-ISAC also hosts a subset of completed HECVAT forms in a "cloud broker index" on its website. Currently, about 23 companies — including Google — have voluntarily posted their assessments, which are publicly available. Other vendors have chosen to host their own HECVAT in more private ways, with the expectation that the institution will ask for access. Whichever route a vendor goes, the result is an elimination of the back-and-forth between the school and the solution provider sales person, trying to get and give answers to a litany of questions.

Multiple Versions of HECVAT

Also, there's no longer just a single version of HECVAT. While the "full" edition is intended for the most critical data sharing engagements, a "lite" version exists to expedite the process. And an on-premise tool can specifically be used to evaluate on-premise appliances and software, and the security status of local software managed by a vendor.

While all three of those are intended to be filled out by the vendor, not the school, a "triage" edition has also been introduced specifically for use as a prerequisite in risk/security assessment projects. Institutions that are interested in sharing their data with a third-party company can fill out the triage version to document and summarize data sharing intents, data sharing scope, data elements, and technology requirements.

Advancing Security Through Collaboration

Now, the working group is ready to push more institutions to adopt the use of HECVAT. Nick Lewis, Internet2's program manager for security and identity, recently wrote, "As more campuses and service providers adopt the HECVAT, it becomes more than a toolkit. The HECVAT is an example of how increasing collaboration across higher education institutions and organizations can facilitate advances in security risk management and streamline procurement processes."

About the Author

Dian Schaffhauser is a former senior contributing editor for 1105 Media's education publications THE Journal, Campus Technology and Spaces4Learning.

Featured

  • minimalist geometric grid pattern of blue, gray, and white squares and rectangles

    Windows Server 2025 Release Offers Cloud, Security, and AI Capabilities

    Microsoft has announced the general availability of Windows Server 2025. The release will enable organizations to deploy applications on-premises, in hybrid setups, or fully in the cloud, the company said.

  • translucent lock composed of interconnected nodes and circuits at the center

    Cloud Security Alliance: Best Practices for Securing AI Systems

    The Cloud Security Alliance (CSA), a not-for-profit organization whose mission statement is defining and raising awareness of best practices to help ensure a secure cloud computing environment, has released a new report offering guidance on securing systems that leverage large language models (LLMs) to address business challenges.

  • Purdue University

    Purdue Opens Large Esports Facility

    Purdue University has opened a new gaming lounge for students training and competing in esports as well as casual gamers. The institution partnered with Dell Technologies to outfit the 2,000-square-foot-space with Alienware gaming equipment.

  • glowing neural network-like structure and balanced scale

    California AI Regulation Bill Advances to Assembly Vote with Key Amendments

    California’s Senate Bill 1047 (SB 1047), the "Safe and Secure Innovation for Frontier Artificial Intelligence Models Act," spearheaded by Senator Scott Wiener (D-San Francisco), has cleared the Assembly Appropriations Committee with some significant amendments.