Toolkit Streamlines Vendor Security Screening Process

When your institution is buying a new technology solution, this Educause tool can eliminate the tedious work of vetting the security posture of the companies you're considering.

• By Dian Schaffhauser
• 07/09/20

You know the drill. Your institution is deciding on a new technology solution. But before your school can sign any contract, your IT team has to find out what security paces that product or service has gone through. Performing IT security reviews is a tedious, time-consuming business for IT, requiring back-and-forth communication between your team members and the vendors to get the same set of questions answered over and over with each subsequent company: Who do you share our data with? Where do you store the data? Do you have a disaster recovery plan?

Even when you have the information in your hands, that's not the end of the work. Somebody has to make sure that whatever the vendor (or sales rep) has told you really meshes with your campus's expectations.

Crowdsourcing the Security Review Process

In 2016, Educause kicked off a working group to come up with a better way to handle security reviews — using crowdsourcing. The result: the Higher Education Cloud Vendor Assessment Tool (HECVAT). The tool was eventually renamed the Higher Education Community Vendor Assessment Toolkit — same acronym — to reflect its use not just with cloud solutions but also with on-premise programs.

In the intervening years, that working group, which includes numerous campus representatives as well as experts from Educause, Internet2 and REN-ISAC, has continued evolving HECVAT through progressive phases.

What HECVAT Looks Like

The full tool, in its latest spreadsheet form, includes hundreds of security-related questions in 22 areas: application security, business continuity, policies and procedures and so on. In the latest year, HIPAA has been added as a topic area along with various ISO and NIST standards. Vendors that develop responses to those questions can file the resulting document with Educause's Higher Education Information Security Council, allowing any institution to do quick vendor security vetting.

REN-ISAC also hosts a subset of completed HECVAT forms in a "cloud broker index" on its website. Currently, about 23 companies — including Google — have voluntarily posted their assessments, which are publicly available. Other vendors have chosen to host their own HECVAT in more private ways, with the expectation that the institution will ask for access. Whichever route a vendor goes, the result is an elimination of the back-and-forth between the school and the solution provider sales person, trying to get and give answers to a litany of questions.

Multiple Versions of HECVAT

Also, there's no longer just a single version of HECVAT. While the "full" edition is intended for the most critical data sharing engagements, a "lite" version exists to expedite the process. And an on-premise tool can specifically be used to evaluate on-premise appliances and software, and the security status of local software managed by a vendor.

While all three of those are intended to be filled out by the vendor, not the school, a "triage" edition has also been introduced specifically for use as a prerequisite in risk/security assessment projects. Institutions that are interested in sharing their data with a third-party company can fill out the triage version to document and summarize data sharing intents, data sharing scope, data elements, and technology requirements.

Advancing Security Through Collaboration

Now, the working group is ready to push more institutions to adopt the use of HECVAT. Nick Lewis, Internet2's program manager for security and identity, recently wrote, "As more campuses and service providers adopt the HECVAT, it becomes more than a toolkit. The HECVAT is an example of how increasing collaboration across higher education institutions and organizations can facilitate advances in security risk management and streamline procurement processes."